23542300x8000000000000000271636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:09.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1ADC1A1D7B9F5087FAE86378DD5FE,SHA256=4063839590A07E0714911A4AC67ABF343F87A9214D7AEEE0EBB027C798E05A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:09.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524F4B79C70D66F99BF16CEC4FEAD244,SHA256=80C4A198F4ADBCD1D8D367DE3D5CA79D37AB18769401F4906FA64044214226EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:06.600{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:10.750{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDF7663B6692F5E580F1CFC969DF42,SHA256=CFD3F9186713F231901062093FC579B2B4A2FE0D75D02EFCE1E56E34316A5193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:10.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0034DE7FED972519A2800FE8ECE469,SHA256=B89C2864E97EC2B40B369768D50C0AFE72B7F655E3D15AD50F5658B7AF8797D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.766{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19595C222BAE9134B65B2CFC287F4AC0,SHA256=686D42B0F27A32C900B17E2271378E1D26CA90997BD5C24046E61AD793D0EA59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:08.215{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:11.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EC97337E6E8DDDF67EA750E9AA7E04,SHA256=B090BBEE0E9836D526485C1966CC9A23613D3CBE210A1CC4F48191B8BCDD279B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.781{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC05470DF67EFA3932655C073CA0A703,SHA256=86965AAA8EA50C22B9B530DF44978DDE6CCF1819DA2A2E4DBC156776C8F8EE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:12.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8784FD9C9FE20F524F8207DFD01B51DF,SHA256=2F6C1473532AD7D7888ED3AF9B744B72DCEFE581B7865347967A608B2F311330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.048{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.797{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE8F1196AB48A6793B693771C58ADC6,SHA256=CC2060F1A2EC1F0B8496D7BE76D5897483770AEA49CB0F29DF90219BDCDD6BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:13.091{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F25B2DAACC123A1D19B6D3480175E0D,SHA256=767C95D919CEA0EF7AE575CEFF9BE8C82F29B601FC3D56259478223E17F0B121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.766{80A11F3A-69ED-6127-ED03-00000000F201}46362472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.564{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EE01EBDB892D57CB574C7C619CE445,SHA256=071AA66760447A48BAA94BDB4C9A54E57E1410D60C60FBB69DD13E3EFEEB2952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.064{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B1C92B428AEE945991DCF18953C22,SHA256=DF39D830E7F0E3C73EAE7899E1C2A735C1D7592A9F2D9D9401717B3EE41D5D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40DD543A352482673196830FFAD64AD,SHA256=A33605625ADCF13E0CA86F9B355B59CF0BC0A5B1CEB2B5288654DD305E6A68CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.054{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.053{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000271671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:15.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0253B633F6CA2F203D6F4C777FBFDFC9,SHA256=F907072CB138854ECA19BFDBB6E8D906A9E5733B3F485DBA81A2735EAADF88CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:15.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3809FEA2FC63DCF746AB22D7240CEDCE,SHA256=0B2E6E253E3215A90E93E12F67BC37F9D8412C304A4CCCC785BA4D1829E84D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CD9D3001A006ADDEAFA5E30C0F6367,SHA256=BFBA4937F5D6D48F68BECAA0DCBE8580A5684A501DE054E62222E9F76A4CAED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:16.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8919B793BB0A8B4DE9CB30C2BD35DDC2,SHA256=56CCEE7792A1E0100A72D148574008E5B40A19087492415F51DC84D3307A5C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.798{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331A0BC3B9F0C759B3E98ADA9B1EB3BB,SHA256=758FC2895A8EC27598F317600E1CBDAED2F5B3D9D0832DC91DCBF4D627596F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.059{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:17.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A508852F9B6542B5DAAFBA1A1CD70AF,SHA256=575F9284A7A5EFA51A926FCB3E0617490807810206FC17D59562C538A10E4BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F59B2B300546EB7648553A083B9E8A,SHA256=23FF54AFE720B5A1DA6FD800C53B052CB99F56EFA2F78FE72972F4DB17A44BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.798{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.531{80A11F3A-69F1-6127-EF03-00000000F201}32601000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.298{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.063{80A11F3A-69F0-6127-EE03-00000000F201}38045076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579FCCFF4AAC912FC7BE6771BCEC3248,SHA256=65A89773A5BE58E9E6F3E790C86E4AD5389BAB4861D28018BD6C098451635AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:18.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44257D1185245AF826FB7D7E16DD808D,SHA256=7CE1DFA7A900EBB0F3D5E5441CEC853481C23A369B5DB8F272C762574A78C426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.063{80A11F3A-69F1-6127-F003-00000000F201}20965096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8DF1C9BC6117F3E5C4DBC21B525BD5,SHA256=C16F9AB1707C4BC19C80A451E62E24C770C177DEE435F096F5949FC3041092BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D174DA8261F91D297AAD7FFD0734611,SHA256=2BEE2DE4C953BF382DD8E429F296D0F2EEBB4BE7B744BA321A072CCB2D86DD38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.517{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.875{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80E8F566BA7B8912C6B4E4F3EB0A2A7,SHA256=74448CD5AB1C241E7263CE9E381E69C84BB75C8B0EEB00153E09DEAD7015496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:20.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694901F67A8D9AD33619570D8B12BACF,SHA256=A967468535A76EC00157D34FD94FB08C7D2E9EACF03D4DD73F4EDA909A2815B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.578{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1A0E8BA6E2B7F3321BFCA710A6D814E,SHA256=C3FC856D4F88C37D452D0DABB76DE64E3FF6C4A424F1196394D83932AA5940FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:21.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F2EC5F1A5E4C0CB10B4978EF8A039D,SHA256=E4EF4892B655FD00BF34C13FA10FDFC6CD19EF0CA576392DEBFA4EABD0BD6617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.090{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:21.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018602F0EB43FD14DF44FBD8981961B8,SHA256=9FC5DA7F831A4300274CD2B419937431D09BB0DAF2592A2BF47D71C625D75D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:22.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AED429947949D48DC626D46DF9474E,SHA256=E2FF7DD04EC83EF6B4474CF096AA39DCBDCE4E6EB807FC0FC293789779D85B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:22.247{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0C1DDE66C794630160365D3749F0B7,SHA256=2F8C73965B698CD21C5D4568EC0A64B90BE15E012FE784DB97B2B9977F02F131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D46CAA111B1DBEB5466DA88641AEC0C,SHA256=C5E4495C433D3514638F993B894B0529769E3FEE1379DE41ADB1928D2CC73083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:23.262{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0552779145A4F37B85C114E7347C0A06,SHA256=562E8A718B0EA8D33E8F97A7FF5ACA8F9E72582BECA8EF40CFB5D9A34784EC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:24.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DEFA84A022AEBCF0496432A3813B9F,SHA256=066DE017DA710445D6AE2D0D95C6542BE1CF3A34DE135CC62A72453B6E8EBAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.356{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958F97B06620A3E105789CE9086F0CB1,SHA256=7AF8AC97A0CC45F7569C5D6A949A0B8C76C71D8E592A36C6636494E8DD33B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:25.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3A08A829B42DC874134FBE899E90A5,SHA256=2EA4A555F2B11C2A66880A316BAB98267A9C6158B3E1FF7473E897C5BCB927AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:25.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44DCFC1CF76F3F8DE000CD88EC9D86,SHA256=9D7520B825F65A3A970575500BE61DEF9AFA70311AD8956C2229D3625FC301CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:26.953{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83D1849C3BA1D8E500D8306A40E1B30,SHA256=70734C293A6D64D4A09888FD3E1D0C20AF6164B1F14262ED088EA8C9CAB5DB51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.107{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:26.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBE46E79E5F097DCF910FE4A58F6A41,SHA256=C43F331E89D1F1037268B7ADA1875D1E2F62AD34A779C26F86F23980CF8431EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.819{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:27.969{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74FE06F60E36214C7AEC1F4E0EADF76,SHA256=6CC7431E7EC319D14E445FC2367F1C0A1CE4FF5CE584254B325211978C968452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:27.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196BBA9AAB1E00F37868B6F11D8953CD,SHA256=D8F257180B513290D306C25067DE06EACEC0C550CE6251069F27E42FF4499FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:28.984{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C795C71C58EB121C873420AEACEE392B,SHA256=D58324E237C7262FBEB56DFBB233A1B0C84B13C725DD1071E30A3328FF1FB759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:28.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB13E5D7FDF870337D3CAB5953BA9EF,SHA256=90B1F08C9C1CAFC72D22814EA86A357ABC3D779D4D43EB2E894C2867018D54DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5878D9B88DC8DA951E5EE668FAA7C,SHA256=413F13690FDD6B442A02B1EE943393C5124376F2A5D3B84A5ADC97E080C993B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:30.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB06C9592174041CF6510CECA6DA89E,SHA256=B844E26C40333CF62A8218E49EAF59DFD4FC343876C220C72E803B456E1D02B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:30.000{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192CB51541F4A97049B887553A42E8C2,SHA256=E70A121BE9DCAE3C4348FD4DC41202A938C4D911A06BC78B08EE210EA2E4844D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.153{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:31.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBE99805D8D8F66CA8A43842FE36123,SHA256=F3ED489300808EFBCA0CB1F76FF44363A33CB5C37A4FDDD10743E52CF4D13B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:29.569{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:31.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A521496A986195DE03C80A7AF9C838,SHA256=C1799D88173193C80E7D095183D7054001180A25F9E8A427E4DF96E0E2D3F91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:32.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F034CA97FED58E7894EE4E083CFAE7,SHA256=4810C260E5FE53A3905FF974BA2489B95E43855DCE579297455730678D6A61BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:32.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485898EFA44FA81E12189C85E62F521D,SHA256=04D18C233B3F85EFAE78C5359D559A892D4EDE151A24F10715D1A755023E2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:33.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B492ABE0CE0E5D53787335198DDD3275,SHA256=E0029AE6E0E5A4855202474CDA14BE1BF0F14B9D1BB7CA51FEB525D7A6EB7A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:33.032{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31D0FE0269A7B35B1CDC672A7116E86,SHA256=145B09BFEE06206715F2499F5E210507CFD03BCE779EDF220A0594CCB5C74370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:34.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C2C0B9CEC22A249E579F3F0B2AAA24,SHA256=299601E9D51746DDADA04DDF390F3DE0D211869F4736FFBD28E1F3DBDD2277BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.047{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61408FB23820B10286BDAE9B4A1DED45,SHA256=029ED69D7E2B0E33DD88E7B6F9047ADE1E802FA3B0F8AC94BA4A123B006AF0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.750{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-111MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704EDC7CF31AF58906D09124783BE2CA,SHA256=A8846D265CBCB3A35EC6F0D614B74DCD54747F48B1E2DFBA23ECA268128C89B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:35.063{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0708C22474104C6BAB28919A39A2252,SHA256=64BA7EE16BBAD883BD00D95F74DD5DDC78E047B932F3332F830404092393430F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.749{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CA7E2E0B6AD0CD48FA6DE2E4F7259B,SHA256=259A315F30DB7A9AB592922CE1F9F039BFD8EBC4B6404FDB7786D1C7163265EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:36.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F5FBBA45805F5C663D36B30D7D6121,SHA256=624D6D7D149034507DD1FA7242B04A585663C992E53CCC229A96AA46DE74CDE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.123{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:37.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DDF03C3B4A783BC696BD38F1A7CC2E,SHA256=E61012A5D6A588757C747C49AAB3826827704DF8DABCF97E95173D30FFE71464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.725{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:37.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA54183EFC6C64D762ECF2D57A0EE1D,SHA256=632DECCF04A90F5D7AC9D5228DE67D4E75E69B2CDC5D817BB7A0FCFB584D720D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:38.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6E92A09132C5CAF6773C5E8A004037,SHA256=3C22AB9AB4B92212F3ECAB7B5AB6AF29FC336330402D33882ECB7E1B34372E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:38.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12925719806EC015512AAED4E1DAAB1F,SHA256=E52D44CD0E3E63756CB87C6BDD7C3C02EDD7D58D04B784FB563A391A9645BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:39.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E501A832D60E886A53B3E06A84BF09CD,SHA256=EDAB2D925B385739C33833DA3D8B1AFDEF58EB7FF0FB1B25A00FA089B7A408F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.109{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EECB45A549BC098749A621541E5C852,SHA256=313776B5E6D36EDB24B8FE67C22FBE30BFF3E254ABDA96B5777C4D5EE673B1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAA6A473C0D076226D4F8DB64CB41F2,SHA256=C2A0D3C4EE29770AF6188FEA7268B886921773AD8464D7308635C90E59C93B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:40.125{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77BBB92A3E95CFD8B8B6ACBC7F70F3C,SHA256=0EFD29CFD60E1A2DF09EE60018F53EF8103B6C06605D7B35318C1F576EE68669,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:40.094{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x75e29bba) 23542300x8000000000000000230986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:41.669{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24AB0D28A3D412E8F578DA575D667F,SHA256=B63A2023AA35B42DEE40D626B50A647F1E53DF4E748EB618416191411BA7F2B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:41.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4F07CBF8674A4A2C64769AAFF8D589,SHA256=E91B10132F9351096A0D44A9A500FA742E2DC3E3FBBF66DE790E0F1A31E395F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.185{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:42.684{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73928ACBA93CF88FE611FE6DAD24C2FA,SHA256=E99DE204B72C9157765771C84C8842B1F3881A9A47310FFA9CD2E5F8397C3E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:42.156{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2A0C58EA293A5B79469CD924569902,SHA256=DA92FF204F428032BFCB4A69E4E81C167A8A6DDAF43D91790DE0944693E5D974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683CC7FCE1464A45145FD8B9DD307EF8,SHA256=E58E203CF5B02B083617327386D43FE4D965A923CCC70F7BE0741232694EF63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:43.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A626DE11EF85DF26BCA52C197D7AF,SHA256=CA660A95D77DB700CBAD176655143D4541CF97FD75C0CB0D213D5278862E4A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.419{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB161ACB1DC396B9FA772F4748C48BC8,SHA256=3E9BA90C006A46C6B041476A6B7AA2B1F31C00E0349DAD37322DFA6A51009D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:44.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60072C865FF7948229FA0DAD1E220B58,SHA256=50336ADEF14CF4B3B71BE1CC3674F46F1AB103B87A61D585A01F812BE74D22FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:44.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E803C9973A97E77EE0FCB753E7795081,SHA256=60F696DB2B9C50EDA716A8BC4503365CA64B298FCEE3EB257BD5AA6EF623E05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.747{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDC28FB24A95F18F2966743B0382AA,SHA256=6F54AC11F919447A99F56EBE3FFA478462C8435858FB85982B9FDBEB8E9B8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.203{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEF138835A4D677905AA789C85F0A2F,SHA256=0FA3383E6EFD950F57CC84E6ED4F6E041532DFA85D2BC2425E0178C71BB6CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.141{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEE9E1769CBF61135D0EEFACC81ABE67,SHA256=6CD13F986E620787370CE11057C5AA645EDD22BC1749F23E73CAA86A5FFB0D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:46.796{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D2AE0FE2FE2050C94E571A8E263FC,SHA256=FA4C80652232F0D4A21ED3E52A825B17F61F3D8E3546A1C350D618FDB3489623,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 13241300x8000000000000000271752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 23542300x8000000000000000271747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:46.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41727434564186227FC72D62805FD41,SHA256=75FEA50661E8FE82ACE8072EDE532BED7B35745A0D87455FEC68AE9EC35903D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:47.811{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD93BC88F320CA13CBC70D85C8435F,SHA256=F1DC14AD74810B2BCD0ADBCD7F511B4F1CB0E48442E5D05B729033BEEF0A85AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.631{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:47.250{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D216E81B8394206AF1BED9890F12D90,SHA256=71E6667F83B2E6DDA5ABC6FBD0FF0AC613B06A50A24701CC1333CD8849C72FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:48.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C952622744F316EEA0BDB457BAD9F,SHA256=76823E40FEF559DE87F6EC6B1C16DC3BF6C1CCC97AA102ECE4C870EE81C1D24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:48.266{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3843E074E7438EEC4AA98E6CDF59179,SHA256=DC238590EC9F1E94897C1E699538736D91116BE3EC507D2745A89B366D9C6081,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.216{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:49.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C7BC0B46A69F318B4E4FBD565D7C7,SHA256=DE3A6627DA55655CFA2DD683BB9D7AC15E1B94068ADF3C43282AC21E92A63651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.500{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.281{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9F007C72F319D75718732C6BC79FCB,SHA256=8796A56AEA0DD1F85221E51F8FA2AC2D42A10C5A8466445D706F4D977E0B2892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:50.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80099D162311ADDB2FDDEC061C21952A,SHA256=226E2C452DCEA473F101FA413FFE98936ED9D61E670B9F92476BE846E645F411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.053{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000271763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6F9DCC05AB8D9457D88E04D09A2750,SHA256=CC65D4DB76C8262A57907BBFEDBB581F3675F255DA2F57A40541768AF5D41F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2969983A210C8E5E006ADDEE3AEC83E8,SHA256=D11385A8545C2C821ACDDE51F2018616815C0B6516C9E367085B914D7C3BE802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:51.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77365C85535FE251D4B41FC84BC09C2B,SHA256=242FF12431E4C93E375D96524CFFBFA9AF27FF123DB6944C7CD081EFEF91DCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:52.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E6F99AF1E555864D21190D5F0B766,SHA256=60C07726202A8FB6423CB9DDE6C7FD0D4253730F2D8171689CB1C9A5915EEF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.912{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-111MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.344{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F87180B4750A46E13CDFF58F888CC69,SHA256=C966C614BE7FFD94CD853E2A73BCF2B8C6DF57815D580FE2DEE868E0D526A8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:53.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5B7B11E4D842B0BC03455DDFCE1C05,SHA256=513A125B5D1675E732801FD3AE889C2C7ED958CD520C2092E8C49330B7870542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DADAF3B356742E7845BD6D4D203C1DA5,SHA256=92E747718403BAAC3EF952FE4AB7E49BEFFE8ACDDC8C725D3BAB3FB15E576EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.913{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.815{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.690{80A11F3A-4F17-6127-1300-00000000F201}9881388C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.347{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3170BB99B3B23465103EB54434552,SHA256=A6BA0D435C6B1400398D568A159C3A7254605D90AC0B1189209410198BED9E22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF523D2C711A61B6C98C9241E354109E,SHA256=E8EFDB8049DC189A3D1A4E0856C8EDD36D66100108308D469ABF84108ADFA657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.699{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.352{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A956985B01FF43ED57FAB003483FE,SHA256=71A06CD92BD617B5058E34184CD39FAE282DB03BB012A90FA9B6F083A514D598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.985{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F874CE492B314893F4A56D3845EA5453,SHA256=5346B829985E7894F188AE83B9AE25EADD8F1623EDD86A77B27E6B8371693BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06E18EB4210CF192511278F019DD00,SHA256=12569CDB83E2D199E0D1BD75D3181CEC0CFA3DEAE5221FB2C142C0FD8B83C43D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000231016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.000{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.168{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.996{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34A04F93F980626121557F94F6A417A,SHA256=17E307C192A6D0A373332F0C0D23604DE64B396280922E45AE04A3C81C7BE431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.467{D371C250-6A18-6127-BA03-00000000F301}27001532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.374{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.344{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3956BCEC829848DDA4D5C3B88C9E71BD,SHA256=82C9BECB4DF06898A47108D214C81F0D34B4BF0B2BC200B2042DBE9149FCB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9B679A925DA76AB2F79092EF699F68,SHA256=1E82F5D620FB636E97F7117ADBEF4E95E38D7A5C5038C4E2DA65DEC3D35CC06E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:57.371{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890D3A541351444FABB907F2B6323A1,SHA256=D58F83CAD877919060B3C88510A88652424DF941777B0E799BE8C80CAE75ACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.342{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4805048E6976373D0F06D5517C257271,SHA256=9463BCEDD847A31DFF983EBA13F34F50327777FBAD1983F0E38DDEC1B264286A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:58.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD3B27E2973E69D35DE4CCD5FD0D42,SHA256=090D63974B8EC89C084C10E5AB57AA43EAC6F8E249377E0066AE0D902B838E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.717{D371C250-6A1A-6127-BB03-00000000F301}8403340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.327{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000231063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.515{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0A3787E50E97457E9B6A0E55462D5D,SHA256=FD904B78D0A1149342DC0A1722843FCD0539B0724B530FF985E458BA1EBBD3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:59.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4179C61557FCA27557B4AE54D2D17595,SHA256=DEA77763158A80E134BE0BA37759C07967ED188661677D08A04D4B4F029D2405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.827{D371C250-6A1B-6127-BC03-00000000F301}1722408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.657{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49FB646555A5B384AD697D8EA15AB94,SHA256=81710E512D2B85AACCAE66170D9D0E9887353BD69490816855F456C067A3484D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.171{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E450C0DC5FA0C9A4F936BD6A1C1326C,SHA256=14850E18FE0AE7D18CD9194359818501A12637295E8A021C99E9BA23BB4FB718,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000271806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.433{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:00.433 23542300x8000000000000000271805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.402{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1350CC684E97D9B89F4C0C22CCAC735,SHA256=F1C43F950A350B2A838D67EB88DB769423C9011B47DA234A2E887F1B826FBF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27C289047E0365AD7D5D4067E5FDE55,SHA256=91DF3E5BF0CCB3FBBB7A0D693EA13905B5657B638DDCDDB5F5782FDE59EE464C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.530{D371C250-6A1C-6127-BD03-00000000F301}23323660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.281{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A9CD163F4D35115073F7DDB267E0D2,SHA256=9263D7353A7FC59F452B3158E22699839591980BD126B4AA33EA71BBB515C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:01.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C1C1A9673477271DC657141AEB5A6B,SHA256=531A4955E9B65409D4D1C783D3423E54B0FFBEEBC703DF36C05EFFB04810AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:01.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872587B160C62EB2A8FDA0184EC037F3,SHA256=A3CEB902B2273526C5E49AF226EE05EB2694979D7B439F545111A4212500DADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.496{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418658A4B3DEAB166C57A4B86E4BBBC9,SHA256=CFFB696A1AF8A79558ACE7C9AAE6F43EBA1F04D627A5314010C29587A58027A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D20A82DD527A82455002C0A548C954E,SHA256=3EA682DCEAF2F85486FC7619776A94DBBD67ADBD7DD509EDF67193EDB4C7B7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.093{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:03.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E933A63F71B5D25B2270D03EE31B94,SHA256=6A1790AC5EEC0649BA148D74901CA22AF077957D4367AD208F8ED23A1D63AE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A1EAA6FFAF94EE4B783FDC53D1B5F4,SHA256=5C6D1AF00E1BAD72758630AE422980EF582EFD9CCA9125C50EF99E73DE58224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDD4EC31CD60B5C55C2665E19249961,SHA256=2220142B27369A5502DD347AF3076AEEF21F18EF9736E667ECD30395E001A18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:04.559{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019F4178D88B8D771F524BE3AC6260B3,SHA256=D083E6F4E12CF7566CDE3880EC4E2A3B7F85E900F21A0C1C75C0C464002E1B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.031{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:04.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E39189AC2CFCC4460491A893327B51,SHA256=F6DE5B9EE1EAF7647F707F6622ED574ECC5E5D791C895695C7495E3520626966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:05.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A5918DFED48623231A0ABAEA39B167,SHA256=9E2407BEAD772ECA088C2F14926D2772F542C09577BE0AAE0901810D85D4CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:05.202{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B5FD8DABA6EE2D07F234F3C9F69DBF,SHA256=EF6C3FE4D0C620C3341566B3C7FCE793F1FA42CE44EB2131094F1A5E36CEC817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.705{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:06.622{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A945EC0EB3BBEB4817186AB9E9FE67,SHA256=BA768C50124077C247497CD8E12CDAEA73F62548AB82A581A4DEE6F448F3419C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:06.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B68ACAD137F21136450584CAB646AF,SHA256=2DB79A3653294E4F51651177863305D37703FC3A400EA063FDAF10BFFC9C9B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.638{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CC52611E25D205C4F27AA56990BF0,SHA256=864B88A7C7338DB239F7339C7CA54A154017F6BB258A57C6EDF4DB211EC3733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034CB109C0D5850B95AC9A03954A139A,SHA256=F88ED1C334C65B64529B1A952E47213B0CD9FE838F30C9A8911C590DF014ADA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:08.653{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB11D9907877D9BD4C788472F1DCA7A,SHA256=EB021E077FBBA364CC4632BD45C274BC46781AB130B3B35B089FF186DAFED3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:08.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718BA3FA347A8E9954169DB585B2B8F3,SHA256=864C2E25E88F255E9817A5A561EAE8630269AC312EF7822B5A44CDD48A4092A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:09.669{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1006B2929BF949559D5D6DE9ECBA65,SHA256=0999A584BE2EA196EACE67E4B34F32B610BA204FF559032EB8C2BEA14669E0F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:09.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6481D15C078DEE722E5B47EDCF5E75,SHA256=F82B65E48A1B4D359714262A10D290B1B58D0B6E32A708C82C047045D28E5037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:10.684{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F82F28D1FBF3BD33A9E9895E96EF900,SHA256=1D66CBD6714085940E63BB023F23FFC4F2202BCA9896E324DD52D27E52FA5719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:10.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB36EF8A9D1C699493CF773397879612,SHA256=A29FFE950172A4875BAD1C7BAA901B3E4FF790183A986FFE5EC373DB0BE31F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.920{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.716{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AC1C9DBDDD2AE6F89F90AAD9A642EC,SHA256=E01CA929AFE1236BE3251C595F2757AF0352D2B97BE69815D878824224A38270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:11.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB370B1CD48E37E32C635F6FFBAE6BF7,SHA256=206B8BD6F9493980709AF799F518AF20925F129739348368E8EA4B3366C2C37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC0DC81796F0B9366C70282C2FF1AC7,SHA256=F1FEC37E732631F158A4C334A472902AA4FDEDAE615CB0269B16C9B62C04E118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2110291F0D4A31C36F0DF8E393491E,SHA256=CB437E239B6CCCD59779755FC5F02EEAFEA02D300E2C7F16408D13CDCB32F2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA46F94CAB2AAF61FEDF255022D32788,SHA256=8BE6BD5A96694457FF6185FF783CD190C4D3624764FD86A3B05BF2363EF8FEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.950{80A11F3A-6A29-6127-F603-00000000F201}42404344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EFCA1A56492F1A963945FB3FA2BDEB,SHA256=5A6F1FAB52BBDBA3AEA35E12E182FC8A2953B29CCC092B78BB011C40B41C2275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:13.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52AD38C260A2576BA7BED9C384F8A6,SHA256=830289084CFCC0032B91554B84763262304EAE6ABF9BA2CD9FF83BBEDD5B8491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.670{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.046{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E3509959EC6F3C3EF6221A2B820D4,SHA256=0BF88BF911FAA9DB068F6E91DFEF1EA232E6940AE6233E2144B4C782A5A682C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:14.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ACD6C1EB1C44A83B2F7DBCBA24D2DC,SHA256=29E3412ED57143E1864CAC08C099FDE62C4E2D29B71279197358393588DBD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B533185CA3F56C6ECEF414427BE941B5,SHA256=70E61E630C0B77416CB5A753AA602D53554995018B2903798F267D0EB057C59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:15.312{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E7F1AA40BC3E25F98F8A830F61B0CA,SHA256=59685AF623F006D311141DC48AC17E6E1BC555E07C6238F8A66517B5317FA653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84393FC2176D2CC2335E622F4BFCA4EF,SHA256=9106ACCA2371EB411A0317BBAC48223EE358E9C88DC5BE61AA9434AA97D90C50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.769{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000231129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.187{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D35012C7A4A5B6BA5B5C71C6380FDE,SHA256=E4865C2EFFD24A0129BBB993A9251B4F7BD10F88817D6702365A5838FB22FE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:16.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F94489CA3A46B2D108D962FC6F7F23,SHA256=789553328C3F1F8C4EEE9703851CB6D8234B9224734E53B9A95AE443F0EA2C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.810{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000271855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000271906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.935{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:17.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50087766B981777238D895A63A0BA4D,SHA256=FBD2BD43609641E6BC9D8612AB5AD33B4ADCCFB465C61EDB637E167D851DE346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3960D3AE79D824ACB3CBFEB0D48F2D07,SHA256=B664E1986AE43E598CB0BD856AC662499A1F24858B91E67AE985B687F63DB18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.700{80A11F3A-6A2D-6127-F903-00000000F201}47005088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.311{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.247{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.107{80A11F3A-6A2C-6127-F703-00000000F201}11601120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000271865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.974{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\ad2.bat"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000271910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A918782CFFBC54644EA973B53AE01,SHA256=502753A1360F855F04310766B9BC14E5AF1ACF88324E28B12721588A64FA4A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4265C5F465B75C0EC9115E5C29B1E60F,SHA256=243607FEA8C122B5951C99EDF7CE036A5AC5C7A4F4123321BA36178E068DAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.358{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE9A38B92A8E558F47B46872C736DEC,SHA256=CB4BAEF1D0DF2B9F8462972F36318242363AA7CB5A1E3B28F2F8881B88A66799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.247{80A11F3A-6A2D-6127-FA03-00000000F201}25961060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065AD014D211B7B9BC33635FD72C74CF,SHA256=6DA2B655DFB062315502C717A93103810F3090A088F68E3A96AC56C2C8254EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:19.374{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117CB59A0C3849015416D9A10AFD79B3,SHA256=4233E331179262C165FE91CB8CFBAE07AEDD807EBCAACE70CF4995538C13EDF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.513{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:20.420{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFBD076A825A03A3E236EBAEEF69B9A,SHA256=A71B0C47960524E6EDC124407DC5CC1EC971BDE979378EEE8B2D799CDF41F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EC42042650775FE5D3060AFC5CC6943,SHA256=3DF61D17356A9C488AD70FB2B10AB895316A1F7789931C47EB4B1230E0B4675A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.012{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215424EF26FD055DBF38B487BCCBE72A,SHA256=6CBF8FC915C05751C944D8E5F9460CC9AA0501D185103FE487DB8D6F24D81AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:21.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC2C07864A0F7CA6E3ECFF3BE7010E,SHA256=5D725CEC825F5505CF7B5BD46EB12044BCB0BA9263337703A1C9000F467B5AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:21.028{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031F9A004DB9F701388CCBFF0BA25BA4,SHA256=85AA58E3AB5DF7295BF1EEEC9B33965357B689A7F357E19CDA0560A106640EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:22.467{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F080404C09B3153716A8A8D7FC66B486,SHA256=DC39A77DB0487906D63740D229EACA8C1C60BC2C1E3E175B4DEF4C4DFE9BFE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:22.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EDFF44E95A582D26F513A1186256B0,SHA256=BAAC4010E292D30972173251EE4DD72861B84489B364CFEF6B1DD5BCB0296023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:23.483{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239B6F0A3CED5ABD23FF49039C2EE8AF,SHA256=31376C39F7AC5D31A368AF89A1DBFC992589F8CE2FEDDF1C57EA037785827082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:23.075{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA0F618871505089AC0214DD8799C2C,SHA256=BBA4721B2B507DCD3871F994F03422617304E4050120CFE0DB98027AD1061643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635124B7F17A70D567F1C339E5B50559,SHA256=F86557CE4C37B458CC1E5513F514A3D7FF7D438066054627B1929C5F73ACA5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE606E90CAF156FB6174856C0CA0949,SHA256=880A403205885B9B7E70836A887EB85DB09A99E51577C90F3895705A383CA4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:25.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B261DF59B023B23E99FD8FD352FCA143,SHA256=815579044AC36A568E0FF01595023E328C16B64E81E7BF34740C3393372FB43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:25.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D51C1DE140EB1B11023D822A404665,SHA256=7588E5B04FF6B9C7B9E5EEC2701ABE43F491A4FBBE1807606291BE1CD153D870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:26.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7298D14096104547344BD6C88142060,SHA256=05F228990C9E8D3A5032ECCA3F31E34D7930CD750F1D05806C9CE14B67E04F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:26.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D76885AE69C905CA94B4AB9E55221C,SHA256=0316EF4A7EF73DFD81BB7BCA319BE73EA4BD253A9F9677C06896833221A9C3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:27.608{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1D7F5CA5B9D7E4B222587493A28AFE,SHA256=353C402302AAC0DAB5DDCBB530EEB2697581EA46DD2EDB6D3B03FB664A4D6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23F07E6085DF16187B1E664F79C8D67,SHA256=A14CB6C77426F1E7FD13DC870994852CFADC58F3EDA045E62D82752185C24CBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:28.639{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A27A3733B3BE764F0E3C4871A88956F,SHA256=5D76B76C8E21371D1B0E656D4074A90E186919EC8B613DA83339531BBF7E91E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.872{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000271933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000271932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 10341000x8000000000000000271931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.262{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000271930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.169{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610229308CEEC61DDF773814DF2EC21D,SHA256=A3AAF0B4644FC83622F12190C0FA511D260BC20C5507FDF28CAF61B91FF05188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D330C42963C6BBE1C3AF071BBEE885,SHA256=F1A3041B6E36C239E29075CF9AF20718F8E9F844A289E6F8815FC839FCCB9DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000271937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9444E3752944113903739045928E8A9B,SHA256=60C1061220F62DE5C12BA723E71F4C1EC025639F2055DC75493F384FBE362C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233DDCD80028BC6204510FDCD5CFFE15,SHA256=20AA0129DA13B0464E119C29EAA321B509A3E6134FEEF74FC9F2BB8F6DD107F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:30.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AEE26DDF82940D3B87E595A7005869,SHA256=02FB89561427173F85367CCA9E96E3D846490154F84D6442A69097BB45D3DC78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.445{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.444{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000271945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x8000000000000000271944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA184283DCB5137F1F980E352503AB8,SHA256=768A6A4DA6FC49F803CB73AE9992919FAF9F8E18CC975ACE82AB32844F29D896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:31.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7331948D8CAD4938168EC77D1CBDF229,SHA256=0DAE2C30EDE5101DD747DE454A0998095781307140596D1E03AFEC5FBC8105D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:31.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBCA0B8C26B56E1757DC93635078D19,SHA256=6ADE98AE9343599CE6A1640CDADE7B8BAD5314EBCDB156362B02289ADFA41E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.140{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:32.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69227219D8BA42E56D9DA0F73A207FA5,SHA256=2920E9EA64884792188D0288F001D0CDD1DF3EF121F46EFE95BB9248447BA558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.296{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362A0AFB4A0F13AB9E4E12EBAE735B12,SHA256=A4606BFE6C2921E5D5D5F92981F237B4CCA1DAADDB971F2EAE63519FFD0D85D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.106{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8A962529529F20B53803C8D44B61F80D,SHA256=E6A5B43783BFA13B631DED420AAD09CF98D4E54A983B9B8850FC9E1A0EF70AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:33.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A141D562AAE1EAD5BB8B719B4E457C3,SHA256=0086B513F2D18967D43ECDD543A69BFF067F03CA80DFA409A9C63816FFE2B478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:33.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB91F4EF74BEA01F414A4BDCDA7988,SHA256=9877E73F696E8F59BC8132134B51D3BFDEC976E2B41EA277F1E1C71B4FC2F139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:34.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164C2BEC88C92CD8FE8825618923B147,SHA256=9D54AAA2430527ACB0033A2F0D1AE77AA48428AFBE13F10B7DEEFF3ABADC7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:34.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F829E5FCDC4E179A0B2C822907503F82,SHA256=A8AFF140D371222553FB6F18B398BC60F714EE09823A36DD42D061FCB919D3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.780{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9373DB6B47EAB04A1668D49443E0F162,SHA256=BA8A620AD30D2BE4F6D6BA8069E30C6676357D16D09CA6C7AB5068F8D6F44F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:35.419{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF8CE25C7B20D23899E99DB80BA1970,SHA256=F0123F7186582876DF23F2D2B7985F33AB5DA1E883B1C0C9261B0306956472DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:36.842{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E6A4352CDD7C9B900C112E59AC1E69,SHA256=3CCF0AA80CD19BC35187867594934015B34604516959EDC73ECACF57F9F940AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.481{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C19A35CADFBBDEE7752A3718C849ED,SHA256=C1B259144C812A44B51CCBBC1AEB024F440D8BA6300823EB4049599A2D20B72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FE49A89933E1CA89EAAF396DB68FDA,SHA256=8E2ADC1E1B9AB952FBE495FDA87DDDCBD40048577E92440E7D72289C56D92A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:37.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDA96E5C245E751BD4D796AAED5B010,SHA256=641A78A61B0B727768864232420DE959361F4406F7E42DA9C06D31F91361ED93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.266{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-112MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:38.700{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E50B1658B117411565EE0A034A3BC,SHA256=F70ADBEA98F3B04E7398F8E826A774975C8ED3C533E31578B9E414E084A72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D837A35C73AA9C03DE807AF1B33A0B3,SHA256=99CA588627BB1EE776FD9EB099714F9761478462DAA9CC44FA3273C48D170F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.281{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:39.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E0204D195E3335A0962FB62C66462F,SHA256=9497DF1ADA5B49C31D482248DDCAE929DB463D51B69B2A6865A9CD43D44E7E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.715{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC3865AA3A359D4E422DF87E16E92FD,SHA256=F6C99B2F5DA47F2A45297EA377AD9929CEF3D62BCC030E893AD3FEC18C01FBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.122{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=059C733B0EE6182D683EE7E147F163B1,SHA256=6C74ACC1BA0CEB3EF59FE0594E1C1428BC778F07934E31419E91FAFF1719849C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901DA2F11FE6AB3530E5D4172B6E0535,SHA256=8B7D1B998C3B7221849BC827C0F753BCDB21EADA9D6F8BB173BEEB562AECE7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.747{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49501F8FF6E04162FC8A4BFA141B0B1,SHA256=58FE119109966A53A0E33A68E061B982F670FF6A55DA69C8CF2F160CA43045CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:41.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4E5339191C8395ECE08652B168F15F,SHA256=491D08F1330A0823CAF81FCE7B140C3B4AE1455DE46FCED4DC986AE3792B33EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9052BC0C1AA24518BD69E58587D04F0,SHA256=4B83C497CA56B1B33F95158D82B5149B87FCBBC202B4C7D494E16DA0E055390E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:41.325{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x9a61bace) 23542300x8000000000000000231164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:42.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52E59F5B24DA182C8A7E7C1D8EC5C92,SHA256=CF4394BAD3D9EA30239CF041E8B7EDA72F844120450BDA95B0022880E553D2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:42.778{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D17EA7B65EDA0021F486E2F6419110,SHA256=1801EBFB8B40FCF401ABD671DA3CA3A1D838146529BF09598A14C5365C16F5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.125{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.877{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000231166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91721F641F1AA65379728DBB41DCE0DA,SHA256=8535D590B66FE88D0C958529972289509C927A286B21A4497DE497F4DDBCA7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:43.809{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2083BD067953D00EEF639ACF6E5F8C,SHA256=FB990F92EA5CA2C1646ADB001DC54FFDE4E2A1502924FBC43382982226F4E791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.421{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1615A0DFA22E93B9645ABD2DC39EC11B,SHA256=5B0F2E70953FBED0F72B2104842C7814DBF0EFC02BB5D9081583D021B3463CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:44.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1375687EB56884C91A48BF1935698194,SHA256=62230E9CB8381E14C0E06D0CD7C5CAB47F7855D8024BDBC021F55E72E410FF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:44.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23208B8AD1A9C81D5D585A0488F6BF14,SHA256=BD17D11CAAD9435173D001E7F5D4574144354A1D303B3D11CA8BCEF3434CE157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:45.905{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18A26EB1552FF3C975F3CC4FF163CB0,SHA256=AE24330FAACB1E44843299FECF0B239CBFDECF347DC7485F571A2DAF2D50314F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3626E454BAB3F6859736D13AE2B92C1F,SHA256=8A422B5EF7F889F7F3B1D1E3272FE1AD230C140F9042AC9A1BD1FF0B1A178708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.606{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.153{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA2CED676F1CBD122F30744675DC5F88,SHA256=5BFFBDB9DD644E04F27509902837F688FD3FFD3561BD150FFC44D5C9B8AB4A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A401414A5E65C112A1BFA74D43E7B9B,SHA256=8F2F37824E2326DDED1719E659273A8679DE9B590C693A498ECEF756CFDAED81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402F3CA6A985F287A47F013D974E8941,SHA256=C8820284B05A7D402EAE42B59ED85CC37B8C4F5BBEF478617C033C0EF8AE3086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.137{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=BC9AA318991A7AA2975D2674C842EA54,SHA256=C258F69FC316048FE15D5C07674DAAFBA5B520646A52CD99B18146FA9048D3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:47.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46864DEC38700B9709A2D6865E52A76,SHA256=F60233DF9F2B1F167BE0C7CF6DAD342EAF24A29274ECA902A532A100381199BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:47.856{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C7D39BFDEF7863B7EAA77CDF4AA220,SHA256=83C8DC4C8A68FC0FD296E8694CE78E4169EB7C236AD5DCEF98CD20E235E9F9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:48.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA062D8FCCFB9B442EECA34B19CE2D1,SHA256=C7E7BA7A8CE709C62C659177353CB71239CB886CA1FBAB63FE0BD80B28C4A577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:48.872{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970F09E9E568352E629442C83671958A,SHA256=CAA4DEF60FAB14A04AFF43A8A48FC8E9BAF0D21797098FED8289D7DEB0DEF449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:49.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F08E5D491DCC51718D6E4A834AFF5B,SHA256=4D1392A0873B28775CD787F9AEF268CF3EBC07BB667C26D1546EDDF94C126163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000272012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.637{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.633{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.528{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:50.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BF98809AB0CFBDF3756C068B675A1D,SHA256=ED6B3B7CA3AC4FB790EF4197BDA0FE5F548F1C577EDAD206B35D9ADB496C2AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599E0CD437E6EDFA1E5CA554A5809023,SHA256=C4648CDDE01D1D7BD5D335623DA3D9FBA65F72E765B79095DACDF33A5366B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5980C7F3495F9DA8355752141426293D,SHA256=C1CCC0FD71628D8E8C846AE9E0A47E104621EA3ADDED0F1E1D4BDC843CEC6DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940B84F1F70C37DD305FDF6EEA8083D2,SHA256=FF56BDC80DC34D084E512FD03C6749B015FC7E05171901A75BCCDA24D5233BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:51.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16100F151B73FDDD32FD73BBD7AC7A9,SHA256=4465E8FFF66AAD79D54A2757767F4EE8834BCB244F0D60D0AA4591DD2276DA9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C5C1C4D4BEAF242FFF3EE35B73B356,SHA256=FB6DF81041B3F0F4ED9D18BF45BF6049B9EC84DF466C73A6DD4037A35C7384F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.081{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.967{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968DEAF0D79339BCF49904BBDA7E967B,SHA256=0279C40D7F66B9DD88720EC4789EC1332ACFE0A405E0860A14B4DF6A2094D090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFF2FE7157C7D9C03599E29700E9DA,SHA256=95E7227AA2A78079F1015B8FD459145A6DDFFD50C2E7D396AF9D8DB01ED27B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.090{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=D7C705A0BB5EF28941E08522824DE0CD,SHA256=E2D912BF40B6987F3E603687D625B94CE65831C2BC90D91F3031BE7C5B171125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000272045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-4F15-6127-0A00-00000000F201}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.294{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83A33CF8FAE1D6CD992AD616388D141,SHA256=D2B07232EACA47A6DDBCBCDDDF0F8072157B26FD2E3EB4B09DEE64714E27896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:53.999{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F508B4509F6D50712D2DD2C6AEF14FDA,SHA256=18170112BB77A032C676AD439913A1225D009543CD3988B39DB04632D334AD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=002D226D33D9D09A5868302A623690ED,SHA256=1702AA1AC68D40F661CC2CB89DB381A36C16ED9FEF9C28409324306A11B4A442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5A398EC051C01201E0ABED5DCB842AF,SHA256=B2A8E83D8D4A11429415A63572210B8882566125A7B04B09B9D83F95B07B1E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.421{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-112MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.325{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765C467DADE0770AF073B085713D6CC6,SHA256=7B95EEC5DBF222F9A338822D269C65FA2C8F6865807D7523B061D4D72DCC3771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.638{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:55.623 23542300x8000000000000000272067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.434{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290BE14C75327150889DE2B421B11E4,SHA256=7261CDE49B989131F93F22A74B65BD3523178EBE959A45BE983C8B6F1B287576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.515{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.094{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.202{D371C250-6A52-6127-BF03-00000000F301}16922572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3BB5C9E403989CD702EDFE7B57B820,SHA256=8B8DCDDC80791B8801D5F9B3682C03A23124447F4024FDA06685153666ED3A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000272061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.287{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local58126-false93.184.221.240-80http 354300x8000000000000000272060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.284{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54604- 354300x8000000000000000272059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.280{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-391.attackrange.local61255-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000272058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.280{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52358- 354300x8000000000000000272057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.722{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.361{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEAF8EE6C32E1218A5D4374B47B50AB,SHA256=B8797F9D9E7DFD2E89EE3B22288F544ADA4F80681DB99900800AF798CB210AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.389{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.142{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B75FF4667403FF9FA630064B456FFF7,SHA256=B763721D9A357E0F49230A5137A7A12FC4D5441E73969AAB58ABAE4C7854A35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7113532B8D83711CE3AA4E1AD58163,SHA256=2AAD4AD1DA498E7DE6E4A19B2F92EA53BBB1E012881BFE100004CC8FE0571E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=706273F1CED5C79AD3F73D74AD4791C2,SHA256=7B97EECE58F6DE91320EDB0B28969C0E7F01AC30552FDF1A55EFF8C700A6AFCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F82-6127-8800-00000000F201}41204232C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000272080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:57.361{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE4A261F232637FD29EEA276208E3E8,SHA256=B16EBA25A92A00C26B5D9B072BCACB1201E3E597EA65A84DFF8D1E5416401AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7113532B8D83711CE3AA4E1AD58163,SHA256=2AAD4AD1DA498E7DE6E4A19B2F92EA53BBB1E012881BFE100004CC8FE0571E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89414B7C013A6E13B1EB00C56B4A52F3,SHA256=FA3BF98D0201875A6D365DFB86B869E1BD2571E95B4FE6C146513EB34A3FCAE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.736{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59056- 10341000x8000000000000000231241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.561{D371C250-6A56-6127-C203-00000000F301}12482968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.421{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.344{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.046{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1D999199B49177DE039C2B404207C2,SHA256=E1DA52A5A588526DA97AEA8E2667BA2A057542B54BF33349B0403130676F4783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:58.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FBF05B2B0E6DC9D1683B7447346E9C,SHA256=2AB4DB89CD99187FF180C8AFD8C94481C454F8ABC9DA45CBFD9C65C9CEE02EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.050{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-59056-false127.0.0.1-53domain 354300x8000000000000000272082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.766{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59056- 354300x8000000000000000272081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.766{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e3b2:81dc:ffff-59056-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000272085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:59.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349592A18028F98FB33E04254B82D690,SHA256=48CAEEE305DDF30A4A3014D57850EB9AAB0E7B055079A6DE21EA3D95E8C92ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.733{D371C250-6A57-6127-C303-00000000F301}3681484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.563{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F890EF7FB92799748BC4CA02A828292,SHA256=94789A0F49935C0F5876AF9F9DF98B8B3DABE05CFA523B4586FCC721AE456671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.094{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.061{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C361045E1BFB8E35A0F488BFE260BAB,SHA256=9FAEE076EC2412C7A3EF3530BD5032F4B482AEA039A753873D1B4C37EB682DEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:58.601{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:00.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCF09FB627AF60EB218DB4ED9B029AF,SHA256=D071D217A653315540495E09494E4B682388C7A69DEED30EE60FFE9D1EF6D1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.655{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E222D1B211B00BFCD146D1281F390,SHA256=B8684B9AC75199687B3D68D6ED337118B9E0AC6FDD941018D48773E5ACCA9F89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.389{D371C250-6A58-6127-C403-00000000F301}9721956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.188{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.124{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B36FE7C01D75515C2A70B7324E4CC53,SHA256=02AAF91D8556EF1E1FCF76AC6A144DE5004FFA7C3987594B5138B1527848989E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.595{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-08-24 07:51:18.294 23542300x8000000000000000272090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.595{80A11F3A-4F83-6127-8F00-00000000F201}4592ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=846C5C3E988BABB67D7D78D82BDC2A0A,SHA256=1E8827C8F6177049816924A2CE070F6865EE477217506BE61767C0832825D288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82B29461601571A36D14602528317B,SHA256=635C7F1CBA0D4E51401323446B6925A15991FFA5EB058BEF50E6FBEBC3072FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:01.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80645C35ED11F818E816C9049F9F1927,SHA256=0E0C4155C893456C035717EB16B630E24668D0E3619F7D1F2B724382121FF1EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.220{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\ad2.ps1.lnk2021-08-26 10:18:01.220 10341000x8000000000000000272094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.985{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.985{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.689{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E27F94C9E37622F985117F627C65B53,SHA256=2C6D351E4303B9840385774B15099FA5500F2077F61BCD6E41A6FB773DC8268B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC6A2DA2618A8C0685E99660AED91FB,SHA256=63BCD1145DBA7B2E51BB8FCB1E86FD320A71BED0F7D4B9626A8DA0CEDDE4C72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.093{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188F3704D82D870763A5D9AB765F2353,SHA256=81192FFC42D27F6D3E470977D13E96BC8F86563FD9B25FCA1A1EF4C1EB38EBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:03.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DACF976EFD514267011482A43AFFB7,SHA256=9F5E793E4C1FE5F10E157F138D2BC8759467121F9E633EF031786E748D0347A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.314{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000272107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.314{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000272106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.064{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.064{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.032{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000272096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.032{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.001{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000231290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:03.108{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B00341156346DFE5C2CEA218895929,SHA256=CE84020B6DB541EEE2D1F3023AA2620D88C110B2388BF9D20975B5C0C5526B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.767{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0861D389194E0CAFD10FBEEE78C9A61,SHA256=4F28C3B0C6AA503AA84E5EAFCDC0244A52D680CB7CFBC1D5525AE6D15E9D2998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.219{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:04.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F182B43A8D8706DA86F3B62F7810F4E,SHA256=B170F592765941B50750E8D158D110A48DFB5742CE8CC612C5104EAEECF5EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2619D06C76D032EC97CF397E4AE5D9B,SHA256=13CBB6B461EC45F6C83E5F5AAB254CC91C4C2C2453163BF82B92A04F0329E4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599E0CD437E6EDFA1E5CA554A5809023,SHA256=C4648CDDE01D1D7BD5D335623DA3D9FBA65F72E765B79095DACDF33A5366B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:05.814{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2C84F43094C49364CF1E0B1CDC5A68,SHA256=FC9AEB25BC0C5D28EA8296503D0DDDF3510EAEA73F62F8B51AA707167476A98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:05.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919F76970CC551889108D8A9EE492B3E,SHA256=FF380A5C0B913DEA899C6A08AE46E9FD94832E6A36D713A8B4333610A7BBD8CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.633{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:06.845{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB8DE7499249E8E8664D81687ADDCD2,SHA256=3627C75B7BA535FB44DE82E56D69302EB61502CF24E2B6E601167E55B4273FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:06.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F90EEC752A667A79B0733111F125F2,SHA256=C27D3F3079A289578C8697F80FB48BE1E7F78F9E2CB44B9B62C1B75A0D2C2777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:07.876{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C613CF55EA7791A72131BDA846852624,SHA256=F6FDA04B2373D5EBFB3EFA28230279E1B5349B6CCB0DA239413A103032116D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:07.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3499082974D31C5F942F7E88B62BE32,SHA256=0288974D41433F3B7FE305C8FBE99C2CDE24B74ACE30BE23A177E7FFCD812BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:08.939{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760CEC0C39772ECEBBD54D2D59065EA3,SHA256=4D7F0D6E9E598DCB886CBDB0DFB05D04B3DFB0582CFE2005EE0E3C3AD85159FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:08.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FD5BBDA3B85A2D00C9F3C2863A26C2,SHA256=8ADB6DAADA7BB37A5A8F32F6EE01B955EB67995866183229B6C7BA4569706350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:09.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9633DB690381FC9877D3F91982B239A0,SHA256=382ABE44B8A993EC1B9C1D50550B42A7ABC13EE8527D9DF5304271E598AF116E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:08.172{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:10.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C31085BDFD7665B991ACE1664711EC,SHA256=C3FADD2361E7B0EE6B66D22EA56BB5F59126A6F28FEA7F2AC351ABBB91A35FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:08.695{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:10.017{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B86D8B06D9A7ABBE7ADF06F84DE84A,SHA256=11FEA67F256F228BB2C8706EAB9A17C10989EB243D036A6DB68A597D748245A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:11.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D0BCEC9E5021F5579FA3E0B89E942,SHA256=AB65C19C6FF29596CA64605869973B0CE13AC450C14DE121EA97F73C631D52D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:11.032{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B54AC6820C327EE75BCAA06D0DF6145,SHA256=290B839CC2C6288AB2EB5BE4E35F23A0F7A90FB6166D8C41738C7EEF17FA82AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:12.217{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F8FDAB4F1F49888C6D4272F003A014,SHA256=44C8ABB3246E2AE3741DBF591354C907F8F77972C6305153211C8C380EBC948A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.157{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:11.939{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.110{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C99C2805B1304100D9E6EA97BCEA02,SHA256=470E2685526FF86FAEA1DC1438DD3EF02F11ABD4CB53E228EB19E6AF64935307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:13.217{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57653643B760FE3A028B8C93069BB143,SHA256=3FE65DBFF1E607A7D64880C4F36DBCCA102EAC590E0C54CE25E8A35E4DEE854C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.064{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.144{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EFC64869389D43C56F2CB236473060,SHA256=0802C16CB8D1CE222E1C9B23DD5C8C8288E1F57723537EC0172CD020EC357E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.001{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF949F9C8AEA9D657B4A691C71B80FC4,SHA256=69710A09F6D916F137B60C9CAB9DF8A1153E3879511BDAEE97A769EFEC2DB672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.001{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2619D06C76D032EC97CF397E4AE5D9B,SHA256=13CBB6B461EC45F6C83E5F5AAB254CC91C4C2C2453163BF82B92A04F0329E4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:14.264{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6CBE3C02C3191253FBE64A7FCD79C4,SHA256=DF23DDDE0A1746867095628A702CFFDA1EBB33D90BA445E24F1E97A40D3D5D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.329{80A11F3A-6A65-6127-0004-00000000F201}49403492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.189{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A5584A1EB54887F4BCC2B9C8559353,SHA256=47B459D1A6E0C14707019D4397EF41434E0D7D9DDB11500BC786F015C412738E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.173{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8431D8B48F41AD9D00053F8727F8024A,SHA256=0158FCD60DBC80F7E8822847AF2217B2A0CF9D3EED53C3DA962947F946F51A4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.126{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.939{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.095{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF949F9C8AEA9D657B4A691C71B80FC4,SHA256=69710A09F6D916F137B60C9CAB9DF8A1153E3879511BDAEE97A769EFEC2DB672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:15.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C132CE2C4E15C8CB3104E334020471E5,SHA256=EB231ABC35017E32DDEFC1352B62B2408665DE9266690D61FE8021C820B8663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:15.673{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F03A8C634551A3018A34CF45FC79AF,SHA256=25B8C993F3FCDEEBC69B6ECA8BF9DD58A77BBEF1A249B0C3F87F14AE6D4E8A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:15.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2139621BC09DF7CA9D9EF534BE4B4EE2,SHA256=3BA9C09C0ACF2BBC72D4CAF3CE16C91A35CAFB9625D3AE41767552C8D6C5E005,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000231314Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000231313Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006ac3d9) 13241300x8000000000000000231312Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x4c975f3f) 13241300x8000000000000000231311Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0xae5bc73f) 13241300x8000000000000000231310Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x10202f3f) 13241300x8000000000000000231309Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000231308Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006ac3d9) 13241300x8000000000000000231307Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x4c975f3f) 13241300x8000000000000000231306Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0xae5bc73f) 13241300x8000000000000000231305Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x10202f3f) 354300x8000000000000000272157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.070{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58130-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.070{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58130-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:16.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E0A812A7C3BA3AF7856F6C01751856,SHA256=7299255406A309781A84F21BE2A98FB7737C5FB00D21B41491245E808B89295E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:14.063{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:16.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D945ADA9EF437DA92E13AD295FF219BB,SHA256=8DC7C860B555E1BB80D94E6B21AD051BCCD4506DF718D4921BE597CBAD3756D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.892{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.721{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.845{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B923240868D8F3EC151D963D61D557,SHA256=11BCF2E459FCC7442759B3B11E9BD241C3934E13C5C2EE8E37A4E26B67D7AE6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.601{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.251{80A11F3A-6A68-6127-0104-00000000F201}21043300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.220{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5297E05BA7E78226FB54767DA7E04157,SHA256=32C591B6685714FE049428C41CE08616E986A4A0C02C95DD16FCCC98E44B8EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:17.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3985D96E072A70106E9BE500D07DDC3,SHA256=AFB757B411628AB11F2A96DFD1532FEE2D55838E1BB480E6A22EE653F5CF349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:16.830{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.798{80A11F3A-6A6A-6127-0304-00000000F201}16044056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000231319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:18.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39134BBAA0035039EA1B9A6C010E41B8,SHA256=54382EF614399AEF43A3B09A37A5766CAD993497382EC329D8D46A074954824A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.611{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16873BAFA3553D91D6908C321803EB7E,SHA256=D68E7E4E92229AC8BE657FB0892F2F8FA0F70578357C6B50F1B1396CC76CA2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.126{80A11F3A-6A69-6127-0204-00000000F201}24483164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.689{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.660{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.517{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.642{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509AF0E91C00B1F533ACE23C2D714A12,SHA256=B33AEF1AED9C0FF5BA8FDE63ED7CE0A870279122D6D82C96520C0C1742755629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5051ECEB9C335916433D7E562F84ED,SHA256=5D5E2C0AF1D834976110656D25725C973A03EDEA72CB3C625D8ECB979D010220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:19.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231810902F0CB148B249533F16C170AB,SHA256=42223CB328850AE4690BBBCD2CB86005357FECD89BACD5293151237009EF1351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:20.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5116CDEAD785FA11FE40D1424DED99E,SHA256=AADACC51251A596BBE8565401DDF426D70C71D3A20F51C4402158415B3B86017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:20.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288EC87C8A83E6F52986EACE6EC946F,SHA256=D76A7498CCC4762016AEE9A0792CD8F693A3EB34E405560F3C9EDCF347DE78AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.679{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:21.251{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B85E5407031586AFCD458D4FCB70E4,SHA256=1654E4370FC5DEF824DE2D1DF30E99738DD353D928663060EC2E7D457AACFEF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:19.078{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:21.420{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AACDEF80FBBC064DFC7E7EED6435B7F,SHA256=18254EC9043F09B876B43ED2541DFEA184A64F62DA55DE5E976057F68BF433A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:21.188{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=CAEEBFB2D57F4A801EEED3F92A3E582D,SHA256=8D4DD7D0C2225D5EC21F07708BD83E2BD6B48F7268CC4D969E72164262BB6D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:22.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE71072805D70092D09624A640984A6,SHA256=E058DEC7E9AB659D287D1FE45B9FC0ACD5EC59762B1742B8C9E111BE622CBC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:22.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5B03A35A02A51CF4AE17E8CF9A6B39,SHA256=408D81DDF2E3A544540A35D7B0A2ADCD3C85CCF000E9C8997DF8124E055F0AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:23.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F17BBC2098B7DAD5347282A3F4F277,SHA256=F6255A0EB67EF77B389256725E86E25C19FE92A4DCADFB818218636BDC14E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:23.282{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668BA756E8A34738125F2910B4433D8,SHA256=6DA43A9E8D7614AAC5A3432B0AB0A406F49CE68272F530894E1F701AFC73C2A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:23.173{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:24.298{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D5983D0032B70CA3C217C50736CF53,SHA256=DA5B8BC98ACB7959896E357FFE0696F79D6F122481B31071286FBC5B202E37B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:24.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B19B3FBBE39F61B16EBB859E215710,SHA256=A73E36DF0236D308ABFD086118450D191DB42E166A3474CBF338754FB6080A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:25.345{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B68332665C7E199407DFC1DC0284504,SHA256=CF731627C2C0673A6B9FA4169FD5152C7D9578D554C2CF9B2A184F611830C4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:25.483{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB51550F9EB2548EDB0676607DBBD22,SHA256=381C1DFCAFD511683F7C6FD7FD25B872DC53C3F3B88F4F3030355514C622CCCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:24.788{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:26.360{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425F30DD3A872297996137F5A4EE0F5E,SHA256=4D757BE7E8B5F293E529EF9FBE47639E113B1661563C615365127E5BCE54E294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:26.498{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE324A49A9EB9905EB5597A846813D4,SHA256=705C8E42549E4DBE853C4C8C22568400BF0261D4690E5256DFCABDF21DFEDCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:27.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19962317930988249597699C0AEF2731,SHA256=7A033B88E0FF2D527901CDFEEB171573DCB4AB9689D7048E3DC8F0E47AF6BBDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF6afbc1.TMPMD5=EE84C86C40C7CD0042EC2D6E141BADAE,SHA256=26A7D012C04D9E1FEE6B078ABF13CCBB0119ECB1B9DC3750809B397AAE04CC1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.923{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.860{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.860{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.735{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.735{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.532{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.532{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.501{80A11F3A-6A73-6127-0604-00000000F201}43482392C:\Windows\system32\conhost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F83-6127-8F00-00000000F201}45922284C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5 154100x8000000000000000272211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.449{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000272210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.376{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACC7DF6F906CF3C671698F414A8ADB9,SHA256=7F65FD0E25DE92CE971990DD67659D194BD89F38A7631F249AE708A5E38F3DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.533{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974BE302747344B90F4ECE2D51DE4576,SHA256=D9E46004C7CAAC5702EA1CBD464B15416C69E98411C596F0E405770712BA757D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.533{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F519523F9C8A896B92102DA607B938,SHA256=B16A25B781AA2BE171AA2F5668D450D474DE9D36C5EA525E98740505C253DAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.513{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708FC4F4A0792E4CE08F11B8B1AA3DDB,SHA256=C1A5A76FC594EA63790C6E9B8CFE1886B4D765452113588D6D92165EE024E419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:28.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257E819A4204D066B1D786933BE3334,SHA256=781E0B9014CCEEB46CC3205AE5CA8716C6EDD700BE4B99A734CCA36DEFAF9B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:25.125{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.205{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=A1B28E7E50A5B697100B162EE0B223D3,SHA256=1CDCC9DF2B1410CF835B8246716BEAE657C8154B15733C1AF7C47C075D17F45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:29.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F74A034F1644BE130708F3FCFDFBF01,SHA256=EBDBC18B16A3EF1CC6FA9A23F44E44139F242038728E094A69F29463ADBC0705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.767{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.767{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000272255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:18:29.563{80A11F3A-6A73-6127-0504-00000000F201}1620\PSHost.132744467074495988.1620.DefaultAppDomain.powershellC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe 23542300x8000000000000000272254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602EA348D73426C5C3D7691848E98E97,SHA256=72E531C8D3EC228DB52DDC64BC52D4FC26E46CF76AD878F205152DB58FE2FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.532{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r3ea5oof.3v5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.532{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3ee1df1r.duf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.313{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3ee1df1r.duf.ps12021-08-26 10:18:29.313 10341000x8000000000000000272250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.298{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:30.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984DDD87BC11DE03F9B1130FA222D0C4,SHA256=8E1495A839CD6D86549981499987FBB9E85D09799184B8FB54E2B2533B879C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FB06080A4E81B2F365E72F94436A25,SHA256=C4B18B6538EE6CBCC9DA0922F1262228AC12626AD880C90A9AC41D45AF06052F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.313{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC4C6D29260EE692973BFCFE84535B9C,SHA256=D6D2B496F86A5CE4ED64E7BC89477CECB9F26E309014334494E07BB30C76EACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:31.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF8D9154644C6D775C3DD13F7067E06,SHA256=98CB03BF0EA148EE8E68477757A522B71C8F60FFF78941387E309E34E985B3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:31.579{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F457174A496D88A650FC7E6AF394990D,SHA256=DC3E16E1F47CC90CA165A53124AEC2FEB4D7BC07C9417D59160250D1E772A4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:32.595{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0689FAD18011448B08C82032CF4BE21F,SHA256=DD5EADEB0B28C93A7925DC7F2CF94ADABF851BBBD62C553F4E1E76DE091323E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:32.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAF377913B7B012C1F766217A1FA7FA,SHA256=2A4E719D7B606203441A51033DF009DA5124D28A59265A01B2450B55B782AAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:32.329{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83B71D2BB70A6F9C416A48D035F627EC,SHA256=5CBBD778C12DA45A118D7628FBFFC6AA5D31E31568019F60A2AC79BFB47BC6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.610{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A1CE55D43AD27EEA5FE6646E224CA0,SHA256=2FB0DE620D72CA404E31C2A964A1C8CE1804077BB85E4E57FB601B6E2C197E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:33.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AF33126DAF463CC27F127749493623,SHA256=8C74D1D924381D7E4EAA2688E868B4A4AB06E55E7FBFD3499833BEE1A8E8976C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.616{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:30.141{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.642{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AEC9D36604585520D6CB2DD19BEAEF,SHA256=C4CFC1D0A1605F7D40FC85E68C99FF7C4F47EDF553187594147618FE50527D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:34.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92CDA5E20F0692F15300843AE60736,SHA256=CA3029E7FBEE0E2F68149ED59630788F3926D2D0D38C789D1B248EED4B104025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:35.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58818DFD98A671D3B5C18B4ADECEC767,SHA256=9EC86D813F24DC619DFC46B1B7BD27615745A35570554FA7E586173C3716EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.879{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160DEA45999A54036D63BC8E4CC13C8,SHA256=4EC4539610910FD77B70F64A78C747DED2E748457D86CD8F5329D77664B3511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A56B687B4C6482347399E2BE72AD95,SHA256=C4DA38AD51D38168F0F0B1509DFBC4FE6D09CFAE7C9BB72D46D0FF8B207FFBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:36.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C8E731590C12545043A300B8FB4BA0,SHA256=D66A59281BE2EC8372DB6E9D6F9F15398F44DC15AF3BCD4B41D03B5C1409302F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000272282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.001{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000272281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.269{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01ACC5DD99578B304A86B0B2CDCE89C2,SHA256=8ADED733BF466CAF1B114F6ACAF3C10251875E460B46443E4FC43624AF15FCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.970{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A5FBA98948ACD59ABDB692A20248D8A,SHA256=BF9A8AEE229383BD16F825C4A8EA7C2194C5FE1DB4EA04C05CEF34DEA0DD4A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.485{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58142-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.485{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58142-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.444{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58141-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.444{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58141-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000272298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.907{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0041953C7C652E09A06B1353673FE5,SHA256=9ED3ADD334E6C6ADD546D279A2EC53FEA5C8BAB3688FE667E101113568125EAA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000272297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.518{80A11F3A-6A73-6127-0504-00000000F201}1620win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000231341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:37.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B63D9695795566CF70983359C5D3EE0,SHA256=A7F3AB40E4C8E3EEC116C360713F0EC62E545E412340FA452EE70AB1790FC2FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.162{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58140-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.162{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58140-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.985{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58139-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.985{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58139-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ADA37D042399E2FD1DB31178F8A24A5,SHA256=8683E82612FBBACC6D1B13A5146D418EF1751F49E2CACA144AF605B8934F5F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974BE302747344B90F4ECE2D51DE4576,SHA256=D9E46004C7CAAC5702EA1CBD464B15416C69E98411C596F0E405770712BA757D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.837{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58138-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.837{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58138-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.648{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.633{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58136-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.633{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58136-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.526{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58135-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.526{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58135-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000272311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.923{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2FEA97A34E0124F8A3D2F0018D3E60,SHA256=AB2DF1B32CFAEF0643A6C592C627F8A07BA310A0B24D8E524671E607880E3DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:38.800{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-113MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:38.594{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96F0B7E9EB316EA52B23E4AE69865E0,SHA256=E86E44140D715CC47890956F4D3F890171DEF769D268015C62545599BFAE90A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:39.802{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:39.597{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA163B45BF9B2B8BB0288829E389434,SHA256=64322DDD8570B7928FF3FDE62D3F32064FCD4568D917393E681B4905DBED2FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.735{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.735{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.689{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F83-6127-8F00-00000000F201}45922028C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.470{80A11F3A-4F83-6127-8F00-00000000F201}45922028C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.376{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.376{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000272329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.360{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.360{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.345{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.345{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.298{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.235{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.235{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:36.078{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:40.629{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FAF8634EE5901F1BEA833ADD509F4C,SHA256=A44808C1A10D0808CD011C317ED27B3B0764000FBDB44EE49F0A62C452977EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45277A2FB33028A40F502516ECC1C4B4,SHA256=A2592115FC4C54AFCCE2ABB3C997B7157805AC830C2F0547BAA84C001EF2E689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B36D389A51AF73EA42BC03217DDD214,SHA256=9205EEDFC7F9C920A7871172D02FFFC34EFA2A9E62CDA8AD33862A0E7307685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:41.645{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B497F874606E0616060F339DB55B9D2E,SHA256=E58A1AF2A57BF00CB2FE52FB0F6A6E90FB3F916F376E86565FB9DC04C24B5E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:41.751{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F067DEC9F9CD9EE2E1A2FB0A9E183608,SHA256=9B5CDBCFDEF22A4BEF69B2B5F3FD0113F0B6BCCD1A63B53E64F3AAC195E4BED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:41.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969EB5C2CBBC0BCE652C7A226BF59F42,SHA256=E5D38DFFF48FADF86115069BDD425C2AB90BCEABFD1EA319317BA7EBD4ABE947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:42.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FC80C4DA7A08B1C36459438763397C,SHA256=181FA91CDA6942FCE00C86C090F304B546D5902D280C3F996056EF909A3824F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.694{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:42.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C3D6C248D5C047790EF19C33ED8F34,SHA256=2F10382216A9C866490C762B2BDCAB4AF5C29416192C2DF924F31677810D6616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:43.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323E8198DB4B1E6A8315F1F4E068B9D6,SHA256=E42EFD8475624F0ECB7960AF84E7E4371E228E2B795BC842CC561A328A5EF7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:43.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737B213111EDDA5C9E22F9DE8F89B21,SHA256=F600F2C217039AE86E0E768676ACB5356DD4713FAC93F89BAD9ECF90E1950D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:43.426{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=440ACAE0D2BDFA977E7C5D5AE75958E3,SHA256=2099CFDB33E3A55F83A3413952B66B642B89CE286F456203775243ABF0127388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000272357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.423{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FBA046EC2992802BA95EC129DD213F,SHA256=CF9E39ACE616E90317944F3C215AD5B37F3A568722008FC25AC7F78BBF994A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:44.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F68245FD1CD1F9F67093A00CACAD59,SHA256=D3A765B8E93A90DDF3057B2DC708B57871FD6760E632BA9A98E2506456D8980E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:41.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3D4D13A968BAC05C5C627EA4E3E8D9,SHA256=202728C3B07CA54BA8FCE09777A7E50A19968E7A35483F123FFEBE68C710520A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B73209AA873B2A88185F26A43AD215,SHA256=C748176D0EFA190D70C6443C66894E955A2C4DD1F4432FC48E9470954FC573DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.423{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA4842A780203E3AB4B56A7B4445793,SHA256=94C156951D9E09ACF78B1539C1111ABAF05D522A56F31CE7A230DCF959611CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.173{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E93030FB9B4DD4648CCAB335759439A1,SHA256=E0F325C208A5E81AC2F454890244F37D1F28F41D17842F95D6EFC537ADA6768E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F82-6127-8800-00000000F201}41201860C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:46.739{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A44025D9584DFA7968325ADE0CE8731,SHA256=DD26BF585DEFA8DAAA62630382C33F837F62427026B1EE74979CD034708C552F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:46.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAE93CA566CD7C1DE7610495D193B55,SHA256=E21AE773EEC7CAF6893D869084AD9B44D598EF3116DB06ECC5A96699EF0CED21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:47.786{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A91E6D0F6108E506C5A02E13468DF5,SHA256=2884FDAFF397AAAB87DB34B8E1B78812650ED6D98F6A18FCD53E6006A177C763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.804{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:47.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B99B0D8A8669D810A2F8D71F34996F,SHA256=FD67B38FBBBB05D24886A7BA736E5753DE231E78AE9BA4E9E53FA0444E6EE256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:48.817{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52EB33B917358828C85391822AEC83E,SHA256=00E602B8910A13A15BC817AE3CE4974EE04DEC8E857FBB43A9CB2E19005E370B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:48.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C6701EA9CEB029FF4232872E5AD3F0,SHA256=BCA4B1E6EFBF073B854350DE7AAF3CBFD60C21B843D4FE94EDD1BBEAD77264C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:46.131{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.548{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.470{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766AA2D22321DDB3D7D7DF97B46069CF,SHA256=A8A34919D82237DC04A828CDD8296653B6EFD8AD34D680D477F6151C761983B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:49.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1205E92944610DAA661D5C132E02F9CB,SHA256=9CA52D59523ED6CAB28E770CD50BBD5DF2158B194ADF7DEDC0120E82BAB2A246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:50.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3BD1CD6B36BCF39FD1CEAD8754BCE,SHA256=B1610DFD98711462823EEA09E161CCEAFD568E24103E060853550C79370F8EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.101{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:50.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB018999BDF834167FFFE4FF6F6B8C9,SHA256=739FD91E6FA0FDF4917BAFFD4E6D714F775849E7E7C046B9D7ECDABEAF349D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:51.864{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98DB3A3139E11947D4942E0C3D09C97,SHA256=D7DBDD71473389309B2A1C6D53C542D76775A934A933BD98DD1A4A45780D14BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:51.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CB00A1218D6B13D16B75530C6CEB52,SHA256=A33BF73D8054A75BC4278B3E60F9F5B68FAE01B8F32071F75BF4DCA09803B4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:52.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45024C4A9A14692D779315D24B71B3F,SHA256=A060E17CD0F44DDA002732B474FA3A66D2D1FA4113E863B306697332F217AAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:52.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095DE2AAE68318BA6123C9BB33DB9DD1,SHA256=CAD2F81578C717055D7C88C28B0159F33F23609D0FB99DC1065B51618713DBF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:51.694{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:53.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1865C4AAD3360AA4366BDAC7F2ADD8,SHA256=06CAA957C2E7E396E50C6F9FF9886F56A8FCFBEF8A2F9A156A06F4B70D0E6381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:53.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1327D3EEB9ACE36722C234C28B64F98,SHA256=7746E7840187FC8204579C9107D99EAA546419B2E61D265F549F4F7E4E952B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.927{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83CE33C33A426DFC5200E7D4E5B6B99,SHA256=A2EBB026ED7E8A1A9F98D950558B76A0131D231B695320593E337414524761CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:54.563{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A971FDE48152BF2BC157F1F5C92DA3A,SHA256=FDEA598316B803ADDAD108B3ADE642C774DED1C7FA0394F1A5308264EC688362,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:52.006{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91AB0F3D1F7840B7F262883FD532082A,SHA256=CCD5744DFCC1C4DFA465E80408E5E7AACC300D890BB3F5E206B50AC5167F72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=304E45654C312862EE466D76E5C9ADA4,SHA256=C1F2B0A85E0B3B2868C30EAECAD227F37E429A9087A51283FE3488BC7919B4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:55.944{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-113MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:55.581{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FADEB0284B73F5D0523EBED4651EE62,SHA256=EE5FE94F5AA8917F6CAB2C010B6D3A1F9E7475951E1BE90A5EB7E4203611E2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.599{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0892733C2C2337B9FF41EBA6B04582,SHA256=C271CE8FF7C34793C063F5B69AA613FB8CE86950EA65E4DEBA7ED883EEBC2CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:56.948{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:56.618{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C31C63927D2AE2883D72DC04C085A6,SHA256=6AFC2CCE889332623A8100B85BBEB07BB4EFEA10385F02D6F80ED81CA99820FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.442{D371C250-6A90-6127-C803-00000000F301}923476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.411{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.271{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.082{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934E486270F31851871ADE0DEF6F794A,SHA256=B9398B1AEBA3DE1DBA70BDA3270E300F8B8B258AE51DED6B4467A7237D8CE716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.973{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F629A59D150D54301CD6FB18C66760,SHA256=3C18B2A4C1AE597BD4F25A2C0A4156BCD46329618930172497B517497576758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD2D8F6CD7AD878E8807BEA5D114772,SHA256=02E66AB5FEC39FCF9984071968CDE8D17A878D866782CD52733DE029DCF13752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.411{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91AB0F3D1F7840B7F262883FD532082A,SHA256=CCD5744DFCC1C4DFA465E80408E5E7AACC300D890BB3F5E206B50AC5167F72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.163{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68A5251EF3E528DBF50F35F4F08B1729,SHA256=EB1794F93CCBC6341175BE85467F6AB4A9123FECD31C094A14A0F13465800B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:58.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D06B9F77CC3FE6F94C400F1B6B4257,SHA256=76AC77E1AD03E218175582CB01D0978FB08BDDD3F17E91DE87275697F4A6C66C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.366{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000231429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.598{D371C250-6A92-6127-C903-00000000F301}39282796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.443{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:59.652{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC42B8B31DF646EC55C98E4C1B03FCF,SHA256=967FBFBDE65FEA0CBDA2DD0F3A09D23242310AAE8454E6F5C501A1ADDC34A8FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.723{D371C250-6A93-6127-CA03-00000000F301}26483920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.147{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.568{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.489{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF291FE1C4F005E0AD01DDB9485D3A28,SHA256=778E6664EE8EBC300166E460D591E29F5B912CC14B61AA92D4E45F960E18B123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.020{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB1B6107160639D64FFBC93282419C5,SHA256=F00414C4AA0D2C5587F112719B6B7FC4E76653D1A26F2F0D809FD828B9BF17E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:00.667{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD18B3948B498CAB6AAD035FFEEFBF68,SHA256=958A3789102231CAE9F63B00209AABD6736E4D5855DC4CAE84F7ED663AC5E45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.567{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0458849A73DA57238F22508BB0303C15,SHA256=7910C35183379AC0589098F2BB631D6F8A3171E5EAB686815761B73ED7F977D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.536{D371C250-6A94-6127-CB03-00000000F301}5043812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.178{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E5FBECD89624A8DC0180372E5F9A0,SHA256=6A2CD423EDF6AB754FA628A17E574BB460A68F190454426B28AD93B109EB0194,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.595{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:00.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=144BCF100213E9CD4CE3805CB2994FA4,SHA256=F6A985DDDDDF8069BD5C669552130383A459E8FFD20CCE457ABE3674A4B50018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:01.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BCFC912DDF579DFB3398B136E7A5A7,SHA256=286FE14218BA5A587FCE86EB747CE4E73BF710AC0C15FE62BE6529B573EB0D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:01.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA41DDDFB6CB284D3F55DB8B1F58644,SHA256=5FEEA5157F6FC6591F57E39523EB7A6F1BD30A0EB74FCE849C371DAC39E17F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:02.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF71C4A2F6485C685FA3B515E0BA8913,SHA256=5E9DE0E1D43E5E3738507B6143D257A8B78AACB59FBF266C5F368B9FCB07DF90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.099{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6138B5BABC6F68B82C62145EA952D9,SHA256=843B8C83A689B96D1DAB80DD048F51C2131CB59B8588B7B0950316759329B337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.698{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EF619387CCA4463E8D5FC6358EF294,SHA256=7D6D44208F47FB8ECAEE46D4D46332974C2EC64C79CE71F558A364D8A7039D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.317{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9B93A1D3C5E32F7F63C3A81ED88DB0,SHA256=2BC3515BB3DA9C41CC386D8E98340339CDBB52575E57B5182370C429A9852D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581E4C6FE496C1E9F11D7ECA201402F7,SHA256=1BB2FC869961E4BDA78010244195F1540BDE712908F50CBF1FCB6799BEE6233C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:04.698{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BFD94B1CA8BFDBC951623D6B91AF03,SHA256=A4D97B1B334453979B2729385DE84D6F06D3539F339F9395F5973CB67EDAD219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:04.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5368EB5CE02105840CF66D24C0E8B7AF,SHA256=B1DE9B40F5CEF140E18E85F0C522BA2C56783F3795DD631E4B8BEFCAE6E3BE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:02.736{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:05.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB2CD364CD84039289BA3DB6FE9E654,SHA256=286E2207654B13AB0D883780CB6D10BAB41359980BE7783510E2A5E14C58DF66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:05.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B672179309EB4C19CD82A099303B6C3,SHA256=86AAB72150E23EEEEC0076B6471D6C06D66A8A712234C526E96C7383682C17F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:06.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C7D95605F0DBDEA2AEF586FBA747AE,SHA256=9CBA57EFBDCA13717756FDD547306E1AC176328E7AB79EB2A44D3C56EA875ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:06.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FDD9A5E35F7FDB4E4CB7CC53F6C0B6,SHA256=ED69C2DAC6EFC448433E6EFE1C28A88F07C303C6A1F476E9405B69F9C1102F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:07.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6138F188E7AFD9B3CC0DB350030AF9E5,SHA256=53B44A5E9A604FDB171D2D3A9CE6FAD1592A6CEDEF3647F2069209B837EA2964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:07.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B966EF08423D3B751CC975E6555E7D9E,SHA256=1B8F3CEC08312DB903F8E97C0697C3DD130AD69B3593BEE66D37B8106DA1CAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:08.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB86AED188FCB21F5EA9CA6CD8682F3,SHA256=EE8BEBB5C6A1FF3C3A29D351483825EA347AF3718F610CEC6EDDFF1E4A665B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:08.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF85A97316B890ED79BEB71A5DF8FE8,SHA256=DF0D6AEA8985595F5684AA459376A230A165EAAC878168B90FACCE5A33E4942B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:09.761{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21CBD8397E17EBF62CD20B552E1F3E9,SHA256=A951A498C93E377A34610EA7379B7524FF8EC4C4C97DBFA34A3C2CFA36C9DC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:09.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81641A44BCEE0E658F3FE4DBD362CBF,SHA256=CB97D745122E2F7473B25E1A1383E77CB1AB858BAFA5989716581E09AABEFBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:10.792{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83EAE88883FA0B9343D808B298ABED,SHA256=0653141D127AE74F0976B948E2315AE3308B9556FD6DE32A3923F700EBEEC1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:10.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB22D44ED477C2C1F2347EDFFACEB30,SHA256=780C64AFF5FE6786C809D75AEF8EEF47C572F30774475512D1D9AF318C617A26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:07.829{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.934{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.808{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE883433D080620D7411C51D388B878D,SHA256=9078BEF2AF51B58E647C3CAD6221007CCFD3208C1CB87F04D97770FDCC3A79BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:09.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:11.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2616CAC1A63546DB0858CA77F082F55A,SHA256=D9DD9E68468847808CF150BD8912DA04CD5616E6AE760F317ABDD8980EDBE38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBA7BCE6109B883650D1314C1BE8DEB9,SHA256=B56D97A37BE1E87903496A32D1D9DF61F21DB96588B420A4591E9A6D8F79EC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ADA37D042399E2FD1DB31178F8A24A5,SHA256=8683E82612FBBACC6D1B13A5146D418EF1751F49E2CACA144AF605B8934F5F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.839{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC35DAA467B5F51F7B604E5FB7AF1BB,SHA256=09D75A172179EF08E54C6F394D70822CA9BC1AD5FCFB0516F2794F9F4B982412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:12.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2AE3079C907FAEDFA8108EFF4ACBFB,SHA256=A0AE06F53FA29C07BAD820E7113F53DEBAB44E1EE94C677859FE8297147EE83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F6B060544F5DA635C141819CA050B4,SHA256=B4E94D05C9BD612F5653A35CA2BA129DD583DF82D3778B965476B5D036538DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:13.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8149D049791EF8FC3DE1A768C383F59,SHA256=6741BAE3721E706E6F57DAB899C47D260F5CA579EF1C62D0AB4C3EE24EBBF93A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.886{80A11F3A-6AA1-6127-0904-00000000F201}24684784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.559{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A140104A1414507F11548B899190F21E,SHA256=24F93FF82041E175C7CE162FF88F3A98C095AB18C82D6C2957F376370287A58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:14.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF87379A16436B82BE0DFCDE22CDB0C,SHA256=27568CACF33A0A46234F9BC7C5FC00C1468DD2D9F157A6DC27A805DC6B33BB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBA7BCE6109B883650D1314C1BE8DEB9,SHA256=B56D97A37BE1E87903496A32D1D9DF61F21DB96588B420A4591E9A6D8F79EC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:15.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2D6E1DF9360D6EC2ACE1F4AD252C9F,SHA256=45CD318EEA700AC700328ACDA8AE2B20CFAC6EB4172AEA160FC6BB0F5C767D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:15.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0639B889700FEC3AD4B0EF1145A83C,SHA256=86469A4883A77470B9B6F4C470EB4E15BC704FB6F31FAA6BDB62387CF3777D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:15.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B2CBBC581AEE4B33B19B3A0BB3FFED,SHA256=0D494A9909E1E14EA5E6005F5C93472EAB0D6BE6584CA276B81CF6812614AD60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.751{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000231496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:14.178{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:16.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A73462F1435227398E19D7C6A84E8B,SHA256=1C0241AC618A603E4FD9E225DC103AED224A8F307C4F06BF39D1F6DFB3F40D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.840{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.079{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58151-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.079{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58151-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000272473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:17.270{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF43463ECC5228F34BB32057C2BA01,SHA256=389679170012F337711CFDD5E579ABFAB4ADC8901D5C1E22AD579DD27F544FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=504DAB307024E630FE251C4FF51F75F1,SHA256=53C07C36136F8CD94150AE375888CB6FC003A7D3AEBCD75A068787AAC180AF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.856{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.636{80A11F3A-6AA5-6127-0B04-00000000F201}10484504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.357{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E283A715004A59680313A014D2D1C48,SHA256=17CC7F3D8BC0AFB31E094D6D473C52CE9498478E91FCBC22FAC84E83DDE3AE0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.043{80A11F3A-6AA4-6127-0A04-00000000F201}50641076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:18.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A03625AA81B42B97CC32F58A404CDC,SHA256=ABF481E7DBFE5DACFC0BE0F7620527133C58DD9EE4F424BAA5906609577439B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3203A20E4A4C42F00B5F53AF337800EE,SHA256=6450E69688F1B501751706717774F36CB648081214E944F4303C9066F84EF52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FC29279DBE4D1B0AB066ED9B67333B,SHA256=C8CBE0BB027BDBBFFDDE15007A215D33BB9CCB2E1482E9B595D604D666524D67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.042{80A11F3A-6AA5-6127-0C04-00000000F201}47563960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:19.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1214519D3537049C4EF4B068404439,SHA256=1CC7ED12C64BB9C69C064098DBD0ABA4E04EEFEB0EEE73F2EC294230978F1347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.512{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427498078E2C4DCFFDC11630E2BA182,SHA256=FBC037268EAFC2904CFFE0F80B64A1A20D85724B4A1C894ACFAF5F06C99ED851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:20.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D7EC549BDD567D85BD620F8A36F941,SHA256=3AA9928DC4F3744F78EC4087C81AC85CA95AAD27378C47C3179E2B57C493B9A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:20.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B38B170B32F227AFC1068CB9C5A97A,SHA256=7EB38F7EDD2AF28EC6601617C996258F9516987974572AC779E5B5DCD0706098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:20.120{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20DBC68E3D4DE750AA2CC7C9EB63A45,SHA256=8B7E722A39943244E91133CC7283A94F46C2D506A838ED24C90BF1E53E2F3427,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:19.194{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:21.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11BF6F22AA60F2459AF279AF1FE8F84,SHA256=86A1C4A8BFE07814738780E51A946F5408FDEFB455E56DF3B9A91126ACA019E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.785{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:21.151{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED7C16BA5A8C207CA59775161AEA0A7,SHA256=F847E78E0615FB85D857FC442B908F90760E4D6ED7121BD73AC83150BE81624E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:22.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798486A952CA8D94B69CECB0929380BD,SHA256=C6034D37304F08440A5F4127643323566D269AB34CC88EFE2A3BF420541AFF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:22.167{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB15FE853E70726C4C5EA4CBA3ABCFE,SHA256=F2DCF0BCFE1031F831FC8A628846714F6AB2E8617A8A822DC6DF6BBB04A3DF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:23.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B256693B8BE2F7E6DD848A994D7A2166,SHA256=5F976774460C6D5E71923DF1CF798258168987ADCEEFA4C9B46996D36E6452F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:23.183{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB33423797E976F6BD3D1EB1D80379B,SHA256=8AD4D083D098487045569C78438D0391EAE34406C304CD95234363BB0A1118DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:24.348{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CDB2E8A216D9056037233F4D11B639,SHA256=DF530856A6ABAE6AAD98B47C58118148E02E8CF4F9021FFAB6D53F08C9AA23DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:24.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7994E3F99FC5004619C728C9CA624E,SHA256=E47B6D957356BFEE9D2EB2AA7E9E83B51CFF95D4209C98F89AB7ABD11D2F681E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:25.348{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C4113A1564279AB0AD20585D01C368,SHA256=4A06C6A08392183FA0E67209D3DA0FF40B39A897DF5529351258483EBAC6CD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:25.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A261C3E369E3C490F6458FB1948047,SHA256=18C7DFD917864B5B6369448D58A4206654C8FC76F1AAE3ABC1A18260E4812F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:24.225{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:26.364{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786C44619BF45ABC5DFA91EA6DDDB6BD,SHA256=83FF37ED6D1F38AC6D2D405CC0B1EBA92B1608E43C6DF1AA01401AFBAD6EB639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:26.245{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A82FBF3B91A02027EF350D38D26FFB6,SHA256=6EE09045FCF5F7F2709C5B377E8A4B098054025C0995044CC1CE5A35E42A4F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:27.379{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85419D3F12EA3B0C28CD9B91F91048C3,SHA256=528E74508F03E471157551E4DAC2FB1D16A5B0CC565BE956B8A46F9B3276EF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:25.814{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:27.261{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974438B66972A6F73E400AA7EB5617C4,SHA256=C37E1477B62D0B297CEF378871E02DA4E74A5B1927FD5684F8315DD5313F4D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:28.292{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5469BDC5022CC6713A80890341168A94,SHA256=4C6A93E66BAA28B8D2FAC9B89B03DCBBDA29234BDF7FBDA65B0BC756D21471DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:28.379{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DC25708F9A9539BE73CFEC6279A5CF,SHA256=DFE54E7E5AEA0649686D499342F4F4179E6EA833DB0EEC05BF025D7F6F662EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:29.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EFAB3CF3A8C5D916F9FE50574C14A2,SHA256=2D2454C806458C0098B259371CE8A095217B60359CA984E991F51CBAB28D4F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:29.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B721BFCBE6C244FF5D91CFF2CF6EE0,SHA256=02DB920A9EB25E8DC03905BF1AB69FDA13F8494B91598B9956157186645E9CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:30.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0503754F390B8504F019E973A54321E8,SHA256=507D796B86A9D432637D52A1117F744BD7F4C282E33E9661922857FBF2336EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:30.354{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A7D4FC91E1930DE1223E1F7856F38C,SHA256=51F505B4CE505336706581DBE9977307AD23997F114B5DF96581CD38D5B49D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:31.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D243BBE42404984FACCE35F32A32DC,SHA256=1CCA096301CC8E6D0BE546847E7E1C871CD5C0A1FC8711C5FACEC578B73884EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:31.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507DB8C8160251701708E526F5ADF70B,SHA256=D6749EDB42AB0A7FE93ACBE0B93643946E8ECE5DE5BACBEB38D5AE243B6ACC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:32.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE8E67A4A3E5BFDBCBB14435F816E1,SHA256=340C40FEAE82C9967DA197B36D24FDB2534FDC9EA54DF67F21B7783DFCBDCC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:32.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E69E82B6CDAFE255FFA6CAB1D1B06C,SHA256=61E67E434D8D8C226F4DDB362CB341C615377260E0824410F97067D6AA877EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:33.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6538FCBC0449585922E5B956C6981D,SHA256=2FD0887B8326B6D89039239F356AE671D89CB880DF373A601C6F8DB979D1DAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:33.433{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2CC485BD04C0FE338D26C80544BB7,SHA256=8E2B00A1F7B5E8884512E65121FB4B3F2FA9B53EEA9E0182CA21DD53E49685D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:30.007{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:34.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95AB3702D364301E22F7BD4FB05F97,SHA256=F065DC523D3D309BDD027E14C21EFC1BEA450EB1177D82C7FC71FD8F7B46717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:34.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEC31B9A77487BA4E0BFADEBF5F2C1B,SHA256=0069DA376E11DE9EFE6F08045F795C523C3DE70EA2FF0EBE93E8DB59778BB145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:31.814{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:35.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A130905C776D403E7267DC9E74A16D5D,SHA256=617921D4E305D43276EA8AF67C68E2FBF2D5FD2F8FD782D436201AB4A4171EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:35.479{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC81CA238F0E2355B1EE9194470C031,SHA256=CC67F6D7F39CF7A9E3FBB453EAAAD780AEB7FB26898C867D3EAF75553D1DBE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:36.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B81873BA5C5C1B5A7880D79C6F11A3,SHA256=0224663D7F899CF33701814591BA438EFC1A512996FAEB60564C4F2DFF3A31A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:36.457{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6222097CC6F07EEFBAD42AFED8D42111,SHA256=1395C7C1BB2FB6C022176B715D733692D9663B7F54D544EE014EA3CE4A4C9232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:37.589{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5497B71F21165699A496C38FAA0B1E,SHA256=FA3104410CA375B2646A96AE05FDDD05617D749F8848D617E1F47C15DB1677F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:37.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E27D279BD6C56A645E2CD340D26F10C,SHA256=002B39A36B116960F3C9D10FC38E79BFD433F8F24BA7C0170CDFBEDB001EC1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:38.520{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592245C71FD8C64F242745C7BC554D1,SHA256=DA734F96505C4A675CF350B9EAE133F14801AAB5B9EC1285D7F2415E2F15DEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:38.604{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360A441DE670B3E147E375A90399D1D7,SHA256=45460F808D670C41CC9E26CE716FBFF5845EFDC132C33C50B5CDCE59882403A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:39.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372B900BD6BDD9FB6B361932DF149DA9,SHA256=D60C54280A6E0517D71D23C4B0499497F3DC9E8758B5E7E245CC67F6650154CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:39.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E46B0FD649EF4AFE66E2D787D28021,SHA256=C13167E5F22B7AF1E5457C31FB496E6E82AD81F4F3F15D9300356B41135992C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:36.038{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:40.599{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FFCB6739033CA09C3FAF2A0D8EA79C,SHA256=C4FAD6CF1C52F11B34CE52A6EBD155C2CA91C9BF45090148C4D8EEE02DF62166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:40.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C6DB8E4411DB1123FD7DC55FE7A84C,SHA256=A04CE4DBCC9C981A10ED9A842185C6FE369A37694F6798DBBDA5C0077D041B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:40.320{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-114MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:37.798{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:41.651{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430741062A0190BBCED515DAA449D7EC,SHA256=4D52B348C0227F42D94D6967158617F9D0D8730383C9296AB2CC79BC4A3EE522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.706{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ABFAEB287659FCB0EAFE85BDCE374D,SHA256=149FD3B64C08CF889FD5E0597923196808F8200607AD0DD455CF830CF665394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.334{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:42.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6482FF5309CAE7FCF3C326E9E2D1D4BE,SHA256=1356D31CDC7EE1169D5E21E1DC2213A7F5B460EE49790DF5E10CF71ED6028277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:42.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA5D85A2C17E1903F706448200E6A76,SHA256=88516C761E59DEB4FBC8527F2840548D0EAE40171338E9AB770059BA1B00502A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:43.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF160D7C2F1387F1F1B352CC4312562,SHA256=DC373107FDAEB2BFB72EDFC44773E53915A37780AE4AD00F289A7EE30E658DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:43.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165C82EF409BD54CE67D6FE113A8A292,SHA256=99207E5907C5986417120664A205A42B1F6EA436FBDE3BF8E84994B05A375E74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.225{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:43.426{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B6EC134EB033B348EBD48BB69F5D523,SHA256=26309029C62EDD7769056E00F7D767D8E97745784BDF071F79CE3DDB443298F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:44.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569087164A17081ACE1D0BA48D22D19F,SHA256=5A1CF33DA87B478DCD577D2702D3F4691B989ECE4141DFDCECF5ACC69631A018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:44.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B9DDA786204AC99282260E0265F56B,SHA256=2D71382F8581074A30E3F4F425C630F0F923E111DD20294E136E7A22FC722464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:45.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FB43EF7CDBF6000DF8A45501E8C4F9,SHA256=31063A93EE754B938F654F3B6A042765B02515A4532D8AD7495A8887372F4521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:45.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C86BCD97C1CC3100969FDCA848864AA,SHA256=341A9D11F89EC1A8BCE524E7EF02C7A154A117DB7C911401B3C7B3DE75A822F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:43.630{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:45.182{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2FA36E0756B3350F84BD743B7730FC8B,SHA256=A48A48D41EB61C6763D1F304405C49CB88D7A4017F0C461AC52E753007928840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:46.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4458C3324DDDC64B73C37AC2950E992E,SHA256=3B734DDD085E0A322B240D5A62A6587DDFFB426F9F4C84558354B2079B3056D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:46.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C2D8DBC7174A59A3109F2914A597C8,SHA256=4E6F98A7CB8B65E429CC7DFBD054C1B41F47C4A85887C77DE5F8493A3E29094A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:47.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FCBCFA45E93DE111B23F0850A2930F,SHA256=AD04451DBAE2CF3AAEC3863EBB88FEA45C850F13DB74BE5263E1A871951E2E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:47.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42C875C93311420FE20D06EEFBBAF86,SHA256=BFD12026ABA0A04EAF2E6620B8DD1B2B60B31B9E08D10E0B734A95251472F5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:48.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF978FD9F5E91745BF2D7E0CAE8DA2BA,SHA256=02DE7F1D2576E148BA515F8CA52B9644C3F39A4D852C090A9F8DF30783EA9865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:48.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D8CF4A1AB1B2111E143E27D8DC0A13,SHA256=4968ECE80AC7B75D136630DBE8ACAA1595F748C1B19F371F49D941698952A480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FE7AA17657FC62DBE6695F4980720C,SHA256=27515947EDE52314305AEAC08CDB1CC52EC65CEA92887042FE7B3CA59AF3C8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:49.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354C4280E599D939AFC70165256DBBD0,SHA256=4AFAF5A19C160127C2B7CA1108466E537F9470D600D2282B102AD2D8D725E802,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:47.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.573{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:50.995{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BBE83E48D50BF0B02DB58BD81C7FC4,SHA256=1DE1BEC0A62455AEFCC9CA04A7BDFEF3DEC8C8CEE4B8737C7ADDC474DE60DED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:50.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3663959AD47D46B36B926BE3510CF2A9,SHA256=ECE5A87224B35878728A6B55211DEDE3E414F3FFBEBE7D2C452A9EBBE6C75E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:51.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED2B838331B79595FE1540417592DA,SHA256=8E38CD12852E560EF326DD9846BD7DBDD346F3BED5D10D4A98FA56538A66AD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.657{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.126{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:52.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D91BC4C09662EF98899344F47201708,SHA256=0EDEA5908D8D99E9F630BE4A2E59F65ABB7126539B1877BB1849C3D7BDFDC189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:52.011{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2942427841E9DE20FE14C058CA32499,SHA256=8B5A3B8B233BCDC8F485980577479E7D2650952F9E9978C6841EF228AC8EC06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:53.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD52DEE7E6A2B1A56AD21CB3642B501,SHA256=7049FBA3BE5C5E2437199183DF5A6B87D28DA44BFB148ED9C6CD545E49549C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:53.042{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57CE7C039C1145AC85F7B5B4A5124BD,SHA256=5342F689A92B0EFC9689551803F0136F74890615DC7C3DD11381DC5A385717EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.849{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9B3E07D8A8AAAFB8BCCC8EEC3051CC,SHA256=C55CC45296DE7E62C17A69BB8EE993109E1B74C261D82E64CE5BFEECAD9F3F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:54.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9614ED9DB2D585B2201F514A6C52348E,SHA256=36B04FD180A5ACE7B178DFC5044719F24B92BFEBF2E4CC4EBE6B8432FD3A6CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B42DB745F29E1C482364D64B5AF19A9,SHA256=70CEF024696A1BFDCB52B1EB37988FC19290A21CA596218DF6B24643440A0584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16ABDA13FF282B9F376D3ABBD5484F1A,SHA256=56877BF2B7FC1DCDFD37998308CFA4FACC73D9FC7F6A81CE81CB7810C09F04A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B11C494B2BDE5C70B3CE520BAEA71BA,SHA256=D6E9DD2D3451B9B4D639D00FAC7A8120D57B067849595D021AE6F8461C7BF955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:55.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE533C2435D6A9B04032AE9F12938B7,SHA256=6E44EB463749B29DA2F90F314B156C6797D4BD70750FB481C9D601FD585FA6C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:53.132{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000231557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.004{D371C250-6ACA-6127-CD03-00000000F301}32762044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD75AB612F48D669CDD249598B227A8D,SHA256=15048C335EA712A254567C768123C5DF5F8A291C87937C6728BA328C28A2B9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:54.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:56.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ECA603AC426EA6C38E9CA3EE2788A5,SHA256=B42112C0D422E3301EE7968F3321813B477923D78739DC0D14BAC871088EB851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.426{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.382{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:57.191{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B42DB745F29E1C482364D64B5AF19A9,SHA256=70CEF024696A1BFDCB52B1EB37988FC19290A21CA596218DF6B24643440A0584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:57.483{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-114MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:57.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC06A00469DF966A60EF9C467BA3923E,SHA256=EC9AF60FE0AAC69E6EEFC9B66217B73803DECD5778D4DAB94D036B2C2A7FB084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.551{D371C250-6ACE-6127-D003-00000000F301}30401972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.364{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.051{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2C6003F38F1F2A64D691D9ABBBBE07,SHA256=4E139A4B7EC00330747D57ACA0B5F18D3617F32AE5BF7BC56028A4451C22EF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:58.496{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:58.104{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C273682FCFCCC5EB7023CF9B447E530,SHA256=04777E54DEDEAF40A24D172734E160E5D599C9D3E16A38E1A95CD4CDF05E9DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.645{D371C250-6ACF-6127-D103-00000000F301}19883592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.506{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.363{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A736596333044DF1A55217AB1EF3B8E2,SHA256=163B417B5626D911226531C31A64E1378E49664A47999DCAC1BE007B21A51A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4311C6169AB265CA2D603B3D53BC26,SHA256=5F1FFFE6D14E85C1162FF38C045664F82D50D06473CC00107AD6021B82074891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:59.106{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F04FD0E0B9EC5BC9B1F350F642D559,SHA256=CB9A7786904315C8D279BC5A5853512E1F567D72622FB21D93B26AAA4A4BCD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:00.106{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA7F0CBEC59F26BFDF31592CB8F6A0A,SHA256=5FF5E8DCCF78D70D834E00965AAD2B7BEA7E59B6436FFF9A0E2D030015E64C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FFD20C66F5E38667739CD3309FCD74,SHA256=1F7BC90C00FEF5E73B3228A8B37E9238CEB492EC2ED6B6F11C77450C5515A02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.332{D371C250-6AD0-6127-D203-00000000F301}96744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.177{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.129{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FAB5A6E21C558A0A118606AF5606B2,SHA256=8630DB45F9C21688DACD6047301D038FAC8FEE8C57118870A52AC39C5C1D554E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.117{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:01.238{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE196B4E312ABD3EC306337F78BE1D60,SHA256=0FB1682852B7A5D331614A5C316624650A8F3D284370C80DD5DC7A08D158F6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:59.769{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:01.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCEC9E090096018C722ED41D7462190,SHA256=C0B50EEA5435B15CC849C4C05169ED1C644518B178882B68FA03A50776A438C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.270{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F8574C2F76EB0CCB3F46FA90C3F288,SHA256=AA1FA0955B5E64F8752D1746AF9CD8C5156F6085CCF73B3BBFC936FC89786D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:02.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F425F9D1B831FF23EBEEB58165C5DBC,SHA256=C0C9B610306BB251CE27C92BC23EFC56E9BE48B0D5F5888BD9EDE9D8D059AAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.099{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:03.285{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D1EDF0B803E4A38C18BAC9BA169395,SHA256=CEC3646E98A9FF3B563E629F7F86F22C87C49C22F8F86992ABF80CDE6FADB05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:03.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036E50A51F447613BC2C71A41C2AB83A,SHA256=25B7B0631B5E10BE85127DE0BCD3280A99449FC6F6A1BC117D741E76A5F55A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:03.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689EFF301F0ABD32173BD78D0F0FCA38,SHA256=F270C2F2785A326F819993A4B9EF101790D376F689AF8D963C23A4D5D09438AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:04.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32921D48D63B13D28C55BE497D546065,SHA256=8E33CFBBD34276FC3FD263CCA8D02820588A915BB75EA26E3ABD593431FCAA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:04.301{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4701A35FD42D30871DE9F4C61CD9FB5,SHA256=2FE8200EF15BC404AFA3DA513B5A63FBA4264C2A29FC26D1E14DAEF741083762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:05.215{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D434C75B694CF89D7D8B741E9D4C5191,SHA256=6876AE0227DAFFA6926AA43ACD1B1C114D448ADC34B5F56CE7A7805D9CE1A58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:05.301{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0202CB60F52F69C3A8941A234F4F18B,SHA256=141B7EFFE388C92730D50036A3925AE41D3484291D1EC36BC71FCC542271F376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:04.179{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:06.363{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039ABC350E41C5ACDF16275B3EF171DD,SHA256=C8F8B0113DAAF8FD03ECB572A22EB6C15AC9678A2491F786CF43EDC2C96C4629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:06.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AF4444B52A7E77679ED18B9E998119,SHA256=4A08C4544D5B9B452744C2331924D9BB760092FDA65B69D42683D11216E3A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:07.410{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B9A3C4D78956FB98EEAD2E5D97F79D,SHA256=ED6F1445920F04FF05D6FDE096DBE94E5CEA32C34C0D798A9CEBCBDAC28BE2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:05.690{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:07.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676793251AEB64F83143223334270667,SHA256=020F86CA2548D22AE8778A622928174D5D54B101E4D74036326F8A73BEDFC2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:08.441{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE9FBBF344FC424CB27DFC71A842C69,SHA256=3535E844A00B699E60E208A006F46EF9FC3C42E1230D5810E594B70F0A639558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:08.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EF77DFF11D00C3382C172118C12D6B,SHA256=BC5EC61BDAAB7D06713F9036FDF58DB1DF2D5ADC1397F7E01EDDF4CA787EC631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:09.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F69D00FBFB62A1D3F43685936FB4AE2,SHA256=D765D2FDF3C4A40D271079B43E169C8CE036B4B002C459FF0C57421C0697FE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:09.441{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1FDD1B31846CC32394B9ADDE3BE59B,SHA256=A84A38F7B60A6C8E574D785AF430BFD389C2684190EB8A836D5A9A90DE3CEF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:10.473{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDA33E728E49F4FE5B2A0B191C0E81A,SHA256=5076DF9BBB3BF2588A158ECDEE6A87E3A629E59ABAD9B2D1472D5CB3D8649FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:10.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08252741B3DF18300F7413BCCAC2249B,SHA256=3F5FCE6D0D10B6C3EAB89059238F5D401E0E40188D1981BE40D4579F20C280A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:11.488{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781CA7483FB67103B916159EA97DCE8B,SHA256=37EEF157398D8A4A45D3234D95F06DCFA9D7FB9BB365605F81EA7EF21737FE25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.935{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6E2BB1A341E4978B8E296CAB53A7BE,SHA256=139BE739111D16ED9251F78F7E009ED9B8535C38D9C3705E0A759CADD713854C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:12.488{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A437CD282CF7C975C6D9C2B07F9A3B57,SHA256=32D40A57A3408DD6F82B26CCA412D0B7F7E2E3EB0656DE855E1683BE3809ABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05AAAAEFB718FDC5A559FAFFDE48EB0,SHA256=62D8C15E6DB1AF17E1B406523B3852EDD975BA9E78BDD9C56D4223368748E601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFEFD00E922EA23BD491D771C92BB9F4,SHA256=BB7826F9CE68EF3EC09609D3FCE83788EF2320A85D5CF42D0199CDEBC434E1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC7A87BFF2EFF827671EE74F5C7289,SHA256=6E3ACBA4BADF3B065D4DB85FF6861401208CB613010C988C1071F944CC274453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:13.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520FCFC41663130FBA5E297CBA87DA55,SHA256=05F08179295276C9F998F6CD09E09B6CEBF5B1E7B54F939B078D9E8BFF187387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.560{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.403{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DF9BC086355FCA650F1E9E83367CC6,SHA256=1BF3277A03B1ACB87E6A08350648AD06DCCF26C9BF219C2B0A6F22DE2C8E3976,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:09.976{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.293{80A11F3A-6ADD-6127-0F04-00000000F201}40401160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000272601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:10.799{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.060{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:14.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47320C1A865FD64E5A2E20F6D604DBCB,SHA256=B636AF15A24F3B90DAEAF5A06E6B9536F1E7935FB14281CE3B9F3E7138150F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C15F69A4D260973D97BAD5F81EE5943,SHA256=D63D68B469F9B41C119606A5F894ECAD86B5015B446694624C8F6491D4BB1F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05AAAAEFB718FDC5A559FAFFDE48EB0,SHA256=62D8C15E6DB1AF17E1B406523B3852EDD975BA9E78BDD9C56D4223368748E601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:15.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9648F11D05796E7AEA375949A5860A,SHA256=62B76391B07817EB9981D57FD7579A615F1CBB9595E2FFB5485EAA347757D629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:15.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE34F0322038C4F65CA21D80A424458,SHA256=1A7730EA81B84ECE1E2A46639C39406A0D46C5EF442A057A3D4B701B39196AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:15.450{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E6BBD3DF0A9313E1D6B9F29C85A498,SHA256=4370110C5FECF28B861710E864A9D61A51F4996F7D90AF259B9FD950117C1BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:16.551{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66729590FC48926A86BD0199B346EEE3,SHA256=2F433F2945586E9E61E4C68D879E630D550B57D6427FFC64536AA393C215E2CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.826{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.497{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9ED189AD78A01FF11A9739B10BF153,SHA256=F7AA99116022A1C57432450726F44A4577C7A5BC06BE07F7E3478D94A3C037A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.081{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58163-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.081{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58163-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000231672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:17.582{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF94C3000D34D7C73BAEB8D096F9847,SHA256=E278E568782E90F02126983444F733BFFD570808EA6FF5CCCB195B7487C2749B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA658EB658E0D5B7EF9210E89E1502B5,SHA256=6A06C3B052846AF9085C494D370B3BE94AA1AFBE93C487893D6491C03225DED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.841{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.606{80A11F3A-6AE1-6127-1204-00000000F201}16323652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.512{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66C430BBB60702566D4E569442CBE91,SHA256=15FBB63EFD5F84FA889ACDCC5651A68FEA58A90C1B41EFD618F5E958C428E102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.341{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.075{80A11F3A-6AE0-6127-1104-00000000F201}32244688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:18.629{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5242B9CDD83B78D74BC9E23FC80990DC,SHA256=1A2FF86D17908681DD61C155615CA45A3957BD5E4CE3D092326616514A43BBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:18.887{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6FF8CE273C4702ED6E723727ADB878,SHA256=210D5054C6ED761C83D9320FB6427A14DAB12685E306131CF4FFA5413908E8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:18.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A92D8E7BDE9246BB93C6E3872EC9DF,SHA256=57F6FD2F6D153AF63423151A214F841312F94238231B5B6D37576AAA1BBDE6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:15.085{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.996{80A11F3A-6AE1-6127-1304-00000000F201}27643172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:19.691{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A52D8092A6CC5050110BE2C6AA5ED6,SHA256=7F4AFB3185E5E384DDDC7C573BC840165B8096CB49C08F2AEAB9463D1210EEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.637{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5596581DD20EA6C4F5BB44AFC01C4FAB,SHA256=1486EA5F1142E5801E2EE9D27CED3A80A1217609B084ED11E09E96045075D8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.513{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:20.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10324D3FADB983AEC61C24BF40CA282,SHA256=949470FEF0E7D432E429CF9E6D80390C6E329DC7AB4E01E5F3A31A1655F6FBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:20.871{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E902D1E8D1C3393AF902239091ACD443,SHA256=4800BACDCFABDB9079C27C85AC58762E92AFBC91C5231A375F1823BD384C2ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:20.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A92330E7A59B2DCA7EBB563F6DC5A584,SHA256=04146AC29FF01F35A2437750D1510AEFBACD4D2A8DD7EF8D94DBC282A24855DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:21.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529BC289A8ABDC85E647BD8010B11E88,SHA256=C83C70CD8E534774B3790C489BFDDAF531CF4173B6076B0D3F4961701233BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:21.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B093D17314F90BE3CB5A88E9973B12,SHA256=DF3BA944B0DAA034E3AE1F17EBA6E54D5A330BCC6203C45896C74A044D8D7EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:22.754{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D777990AF335CAB8766A9BF4F6EAFA4,SHA256=C163A5B717FB6E76309504836E2303E10639544902C31A2D385BB634B6D9CEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:22.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9086296F6C10361E36B6EAC8130A8EE,SHA256=DC3D9F68642C0C6372CCF755C16B30BBEA7CD9FCE0ABF3309651638B37044D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:20.101{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:23.981{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBA9596FD91C08BD2F35B27B3570A86,SHA256=25376B9CA3ACE3C4B789C7C5F24440714772C6151E601BCAEE6469920503C45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:23.785{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA423946115AC8F90733EA2F933EF6C,SHA256=2C628749CD67B0489FA89191298892F4B0A2B0B7AF4FDBAA2E2B340A66600C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:24.801{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825760FBB4585BFFD4DB267F4252544D,SHA256=1C9316EC4A16FC34048ED957D30DA11BE31749489665283A903C5AD062DBCF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:24.981{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7839EE4C1D6E3691B7306C2CAB6577,SHA256=574D905CAF2A7FF692F2A5B0A215327160FBFF145AF70A793C371A0C20E63B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:22.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:25.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30069B25B72C2A3B0A16E0EF31EAE0A7,SHA256=9FB837276AEBBD79698711EB359DCC7D82585CE5E5DA9AFEAD3C1B8172FB45A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:26.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86463F77BE497CDAE5D4A50F3EAF7715,SHA256=3019697FD5F5E8E40D7289FC352118136996D7589CA8ED23BD2A0E35E7911CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:26.043{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F297408623FBC9FFDA228A8658DC66,SHA256=D3B31D9D8D0061A0D5334022FE48F3AEA303228C524632586836A4E192E2E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:27.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED27903576A60AD3C6D509ACEA3CF9,SHA256=0B687D66893A8B0906F39601040A7AB1441758198ADCD6249D3E2E28B5AC3621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:27.043{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32C43CC17407AB7CCC745B081EDC557,SHA256=24BFA1D23DD3483808AB5FBE1F4B3F6A618DB1CA420A1D8332BA62E23E73ED74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:28.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2877D2FE3873A80E59336ED4B7E1BC34,SHA256=3C573110A5C64A3A5FE22894F0CF0396F568F3E702B3A9F922C63FCA51B617A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:28.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E34CEF93B940FD54EE87CC3723EFAB,SHA256=90A33CA3D3E6F4079AFA732AAE6C10937BD2F3FDB7A06C0923B8FE0C2FC0E046,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:26.023{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:29.941{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485C4186F852785C6123084A68497C1A,SHA256=69A258C22B13F2422DDA3D68FF5730E3CBA3B44F8ED8A18BDC323EAD090FE3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:29.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2140EDF707BAD7842C6711C4FB58EDE,SHA256=D6EF216F0B22B52CD20DF22534F345F4E09B58DA4BEA368905E1CF8C6F64BF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:30.957{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD925D5A903D3343DE49D5887F75253,SHA256=4328B5077406CEF6C43555C8D3F025D428159C1AE6C248AEAE04266B667B3979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:28.674{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:30.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2D2A6BB2C7154B1D39883E06B154EC,SHA256=97627C07296F349E8ECF5B7F699703A12384261C1C44A97CB32FEF9B8F9AA093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:31.957{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F922F78A4B6343D7255216DEAD75E4,SHA256=8450E07665C1251C0210419C360C4EBAC4A2DDAF11A256A1A22C6EB0BD74686A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:31.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028AF9076C4D11EFD82ABF8ED959B9B0,SHA256=7B5AD3772CC481901667BAAE64134EB6152B60F5C1B3F33E44A860FD1E0F33DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:32.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505EC63C7DCAAC8A88ABF4EEAB97871,SHA256=AB0DC4730A3334C1CEEBFCC40DB307AA1779B83265CC7BB4F5642780AC6D28FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:32.325{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420202613180AFF93EA1CAAC05737867,SHA256=BA9974548DFAA25863F817E293FFCB4C256A17735DC83F103E38D08F38325827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:33.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08338B8DE442870E7F150E910493DFF,SHA256=FC4E9F7A08E6987AEF2FA983DBD5D08347AA5B6E66A5F29A96D99C00272E4C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:31.023{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:34.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F69386C6305C73FBD897B65282A60,SHA256=ED6ABC4F1024DF6A6B9C44DE855942484D2E804076D48A0614DDBBCABC9B8B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:34.020{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DA3D0D9EF7BCC91C8638194F080F2B,SHA256=B159CA4FD356279C98D3437CE77976C6F022A93E3D3C94FADFB48CD3FB127631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:35.035{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D23379DB517FDCF05467B36969FF6,SHA256=0AD5B82DEF5BAEBBB190C8FE11D2A284F1A82DFAB3A5928B2E522B3808127D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:35.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E16D6ABCEF9E19D8865808786CBAE1,SHA256=DB4B76401C92DED9B6B8219DA5CAE9A605FFF518DFD79B67B47058FB9C47656F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:36.066{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD33DA0EB498C78C3DDAAD5396312B29,SHA256=8AB803F74A88856BCCE05D6C3233280F877F41C883DCB7D3454B7B056C696619,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:34.721{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:36.403{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA317825E2296B1768F41C33B0DAE3F0,SHA256=6F94A9EC3265FBEC871DDEE997DD47B22D2EAF06C32494E13BF09D9769BEC764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:37.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D208FD9C484B6E3EBF00319310413C6,SHA256=04221B8DD50BC3C4494220EAAD45C72635B9C7CA245727D70B9D642F360ADBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:37.066{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF71DB2FD1CA43403509FE936F8477DF,SHA256=91F4295AAA38864ECF57160BFB1BD9EE85D6351598A0A29C4B4DDAE4D4271F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:38.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D1774DE84E720568F9A77527D9BD05,SHA256=96E7E58C3EA65E7E4F57AC457BF6561D257825C24F283F8BDE0F8EBF1FA051CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:36.226{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:38.113{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6E5C95A2E6E4DA36D25A8BC87E55CE,SHA256=ECDDEE12DA92CBF9D04D22C3693E6246AA70D5E0D6CDE989D5983D1E167FF9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:39.129{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A79D644819FA5BB156FA72DF843C6C,SHA256=B8367E9FC28398ECF5DB5E1DC5D67E6384CAA8CF001EA36F639E4188C87CED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:39.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059BF25F179647A1B40921BCB63125DB,SHA256=D26B4403698669B4F8B6ABAB15B34526023B389942B42E5F5E1FCB8F08021013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:40.144{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798EA197B4FBF3588054670374ED6E9E,SHA256=770B1A46A87E2C54D374BBAFBAA4957721297015B4713103B50A868B8E6AB52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:40.465{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EFA43FC20CCB9F3C920328CA07B8C0,SHA256=F500C09CD6F2A57701BC97F4E08BA61D897575A627C6838F64F2369049EEB2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:41.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417AB81BDC140BE311D61ADF89D2E370,SHA256=A85C465E9310F7E9FE1C1EAD70F7407DF5C472B9429D915AE3345DE123A3421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:41.851{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-115MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:41.160{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE39A7466891E60948158913F3B5671B,SHA256=B220A2D5D439F65B0B79C0C56337424CBDC9CEB8C39062E2DAA71B7E0B6FF7AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:40.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:42.574{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E14E442B24D775B898A1FA248C407F,SHA256=32346C1DA1ED998FFB3B2621AD1CCE6E8F885BCFE7FE7965C93A1ED84CD4370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.865{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.177{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352E3DE4E98872FE7043CDE84047DA54,SHA256=B324A817E78DC8222DF5E34A445103B2EDD6C839BCBCF549FCE41A56D2A4FB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:43.590{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56671061F73D9EF1646D1947B1F4C7E0,SHA256=EFEB360AF9EB42E881CEDD7494C1D56F143301169EBD7A0E8799205BDD809907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:43.428{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4A392ECEC9C7C6104DCF376B04FC2E91,SHA256=B8CFA3613F7A897F98DC3E3C78B90B4FE9F5EECF2960E1815A0AEB09AB0CE545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:43.222{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32D271C94117A80A6C1C76F73B937FA,SHA256=FDB3E1762286C47CFD5E1F7DB13C2CDBC1949CB4A8B54F0A3667E7BF7D445556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:44.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C5AA420C0E5781FDCFD50DC7A4B5F1,SHA256=221167F9677A7802897B8C4AF4B96EB29851704C92C98B536BDCCCC79D4FD875,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.054{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:44.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E80C9E8264E4C781F92C22FA32C0FC,SHA256=8849FA95FA3CEBEF1A3708501F624B760043ED8F29BF164F9667C0683DEC3A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A590C64ED64714F433AD28975ED514,SHA256=768494F49084CC90F4B343EB65939E33D3342A5DB0F681F7A533537D4195284B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:45.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61754EC338704A5B556E2648C45A13A,SHA256=005C2427086EC4FBB5EBDA6132A176C8E0E0E96BD83D0D3B52DE9E01FBB92FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.184{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF253C00207B59D6B075578026A5778F,SHA256=D05A734020B1D341138CFD02DD6D527DB2843EC2F8BF7B4815CB8B7570761ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:46.637{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DDE0B84657916A17404AE4908DA89,SHA256=2C3B9A5E97B2942422467C627FD4A921989C37326FEC25F2E5196F366B770AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:46.303{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A9A2B0E8C9500B4132F6D9BDE07AB2,SHA256=A7A23B1F2AF2E61466C0F9883F34C58008D65F03C15C50C2247AAC7D05DB56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:47.684{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD654C9D94FD4C9327306409076FEAA8,SHA256=E27FDB53ADF4F8AA13F3DF9E55700F455A0BB4B0B2B166B56791128C1A8C9BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:47.303{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB93214CAB5C3FC20EEBAA83D7BA2F8,SHA256=287648FBFDC2C32A65785CA5927C14BDFD8C1C644A18B6855E0263C5C2A53D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:48.699{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C521AAFCC868A045A52C4D9D14EE19,SHA256=9E837726D7DE85710CA8B33B4605866D1406D005912CBE370DC07238A819E105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:48.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5550B67A9B8EB844528830D05251B2,SHA256=3C5E971C0786B625551E1A2916A1DBC54CC295A881562C232EE651ECFFD5FF7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.722{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394D0472A04B179CF3BA4FC5EC5DB041,SHA256=DE16BAA34B163328B879F73E4414E1E37C3D0B790A45E0E603880FBEB4207553,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:47.134{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:49.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67FDFA8BE6B46B9856F12C17FE6E3DF,SHA256=F93CA461C68FEB1EC2619A38B4E3910AC4AED29C9D47251AA0C8C9008D433D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.590{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:50.778{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F248DC63859249C1269A879DD725DE8,SHA256=328B44D4267161DC1E59624D31A4E5156A3B36A4E681FC09FE3858344FB0D9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:50.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43F9920909DE0DB657E54BB429FECC0,SHA256=FFC50EED60661F3083CAA2D16051B44DA707DFD0D373F0051CA1FD7B01A2CDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:51.793{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F63478435281C0A1DAA327B9EE1CDBA,SHA256=0749683963A5A166D3E8E15D6C762DAD0B966473D7A770662452037941A93808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:51.350{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5794A7893C493F1A23E246433EB64F1E,SHA256=4C02E9A8FF9B312457D7EE502BDA0036AF275880AFA388FFEE5E674C6582E5FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.143{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:52.809{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331BD078234AB5AD7C97F74FC9F8119A,SHA256=270239623F46C5D1CEF77E9C3C0814AD0C95644290CF6C0EBDF9DDE7391D0ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:52.365{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A31B74A7B24CC2F5B194C3EFA5167F,SHA256=3A5F14E141CA20DBAB39C289F5EC35066A0021B406C507D56096BFCC9EFB71CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:53.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F7CFC01FF8792A263C1414D0FA3B59,SHA256=E7211A5F46839BC58F060622B32A62BA7950E1C733196856F87B863353C114D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:53.381{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8834AF88D6F235124D28BF9E9BCA19FB,SHA256=16A53189D6B86AE0EFE86CDA8575DCD9886330A22A951FF597EFCFB4F99D37A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:54.903{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CACA9BA0C0B1BC4F7D71F53D9ACFF3,SHA256=1A55F7C32507776957EA3CF9798C41F3B0D25838D817CF2071A3D0DB30753E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.412{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A259F937CF9CCC5C4ACBA34E7040573F,SHA256=539BD0CC7072D935F49B7A68BF3D2D1F86D647FC49E400621964F131CFF14F28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:51.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:55.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25485689E0E803B15D9A9253F5A39783,SHA256=1C2FF951D05B28E1EA82244DD77B8ABBABAAECAF7C0A5E049EA3C7DFF3161B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:52.181{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0972DA0A7DECEE61048EE4D0A9A1BF3F,SHA256=723755BA725194D82AE1CCEFAE4BE4F9C3D3F7D7421B47D0680478D266021E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48767A275F0BF742F44B0E97F3B3A170,SHA256=3EE7D3D4C7F62E0DF135D0E8B67029E2DF9891EB4C944635E46FAC6C626DE34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.506{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C2E905829120E2AB17848417E81905,SHA256=06E78C7E5AE2280FBEDFFA413966B7CC216E29A8411185BA84B7C4C53872BF6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.397{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:56.949{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FA15F21FDF93AF81B8583BC9682C4F,SHA256=AEF66C4437E7F23760B1FF296F2A2CA4336EC3A72AC9794CFE1D55EB4491870E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA5BE5D6FC3EE5268D4A863F3DC4915,SHA256=688C40188A15B8AFEBD66D04824D68C2F242CFFBA7F85EAA09246C5A431D2B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.443{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.225{D371C250-6B08-6127-D603-00000000F301}37843820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.069{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:57.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19408359E9A7434668D60112C037F453,SHA256=E9AE981DDFCC432B2A8DF2AC3DE13BE3D2145A9910CAD6F00E1F56EF69F4E804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:57.771{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C69ACF0AEECAC5EE3B6C6F7D7E50504,SHA256=B98D1C289C5EE80151257DE1DFC3B205268FBA65393EB217BD00BF9C3F694F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.400{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:57.100{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0972DA0A7DECEE61048EE4D0A9A1BF3F,SHA256=723755BA725194D82AE1CCEFAE4BE4F9C3D3F7D7421B47D0680478D266021E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:58.968{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96899664486DDDCC38C74D9549D3F7BF,SHA256=7897E47F068B6F45D9204783C56BDF55BED65D75C51CBDECFB819C5D0E4CF1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.787{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A7717C007711132641A1829A541157,SHA256=1A75FB5CCC1576F09EBEA0BC1E1955E422CF03D28FEBEC52C3D616288EB75AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:56.784{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.428{D371C250-6B0A-6127-D703-00000000F301}33763944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.288{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:59.972{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7716012387916D02C67AD096588229D4,SHA256=93B96D6BE83F9762295C661C7367811A42BA57B29653124873CF670F6967992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.803{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5378B7F094675D2F4C9F13422F10BD,SHA256=12E1B4E65025796B5E527BAF98751A7E11640315998F343EE2AFFA48094650F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:59.018{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-115MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.678{D371C250-6B0B-6127-D803-00000000F301}34643736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.522{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.475{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFCEB4D96B87B845862D6B9022B86EB2,SHA256=338A5BDA69BF256E02B1E6D24C1019A4F5E01D7480D1AEA1F61A8E76557D6E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:00.975{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC21E4406789F7BE5BDB7A3D26069C8,SHA256=E593876E195006E8F0F94094B9EDD4C412C450228F76CE9A959123830C4E7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.803{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32E8D0BA83EB8882E6BB478EFB39AA,SHA256=62BCD380BC51F41028FD8CA28D92E5D305E1641D5603F1FECAA49B525CE75FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:00.020{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.181{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.631{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6978A7AF3F552CBB874B47E6F41999BD,SHA256=05DB183136C497EF78BC351803C19275BA4F58196E8333A9E60E0CEEDBDDAB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.396{D371C250-6B0C-6127-D903-00000000F301}31962496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.194{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:01.834{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0EDE478330A3AD6B8AC76239DB7DCF,SHA256=4F85215A517A94DD55BD154A38833F87E1A22EB20EDE9E4BFDB3D058AEEB85E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.834{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7D0C17BDD4F6AF2E1C48317FFC59E8,SHA256=914BBBD67C0B58DA60DB32E5EDC0D397E289FA7892808A7BD78A099A057D51F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:02.006{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103AC0D8198EEFA861C246848CDD89E2,SHA256=63CCE123B1F33EC434907F541ADBD2C58FD18770A703C0C74B77ED33211AEC0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.100{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A033CA4F395A57F4076FAF337C347230,SHA256=3722EDDECA3472A14A79A20D50EB629E35CC88B97657BA1E2C1118827D4C31F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:03.037{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53603789D1431AF4A3767FC485D983D,SHA256=4D4C8B085563B6CFAEECA22881ACB6F53CAE33E6B8464F6F60BF95366C44C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.099{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9A43C274C34EB7C2AC534F897BA188D,SHA256=BF23578D3D235EA80CA0DFEEFA72348D07E898DB22D855869152422D30F9D555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:04.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D73549C62742237F5292F3D98BB7BD7,SHA256=457F95C9CE41F904BBBF5CE330A54442A4A6C1F9783FCCFCCA32D88BFFB2381F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:02.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:04.069{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC712102A63563AB11F3278DAECA097,SHA256=9BD16A7A5D1C137D1E746F1793118E62ED745B468665B125EB54F6B0772EFD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:05.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BD88BB641CD8C8F567DEFC6128BD8F,SHA256=5A7E3DD1F8B878E9ADBD05E72EA64F02FEB0E9026598FD95ADCE85A3ECADECE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:05.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8674733087D065F6DE5208CBE45C19A,SHA256=50C48440BCE6ECECCADA56031A8BFDA18F99BCA98265738AD81087A8E7AE9881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:06.881{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBD3B808960307BA8084A56B1A4AFB2,SHA256=5E30A7375D95DE31E175E5B3C232960A5DCF3C53FE7E85D18F3CBC2707836C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:06.100{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1A068E2DDDD4A3D1656F4AA92B0211,SHA256=242377844E3C15F89C39DCBE7D7161CACB0FF4F5CE16A0AD68597EBE33B0C6C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.197{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:07.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2885A4760C29FC3D7383C63881B5BD,SHA256=F25FEB4B86792543802899844F8BAC45FC339AF7506A37184649A7E810FFFA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:07.115{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A203688A9D4E1C9FC229514DD2637DF,SHA256=F1257405B7D62C8CD6C5A9085FB352F3EAEF3DEA40F2ED1FD73F72C82552DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:08.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3DF67CBB17C5651094A58D42B4FA86,SHA256=937E7D9B366DBC0ED767A70E3B5C68279F0231E8794F6B6AE6DCB4DA3C1DC38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:08.147{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CAF82B3F92E7EC1C7C5BCD242A7B74,SHA256=9DF1A48D64D26F274B0CE16B56BFBFBA5DC68EE4E8295564C6037A97A8F7F609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:09.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0F495F3E91ED52E62FE4F42990B2AC,SHA256=89648E5F33FFCF6545AC2E2827E7C67C6479DEF1C2E6A8142FA6CC837368FE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:09.162{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C578DD23B3892C04DC6FDBD022FAE75,SHA256=408DA5679DDF3FF76A32CB06DC03E2219D2CC3F29132CE791EC030B37789E0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:10.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53D346C849B99D1202922D787F3E6F4,SHA256=623D97C01B54E31884C19B9B672528123CCC4788A5026AE7FD33D94E83B036FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:08.653{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:10.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8C562DF1CA834B2129011315B5BF45,SHA256=9379F605B1096370836BFC3B4418DEA86601C00FA2402E1BE2047F7C6A383FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:11.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14931525883833BE9D6818F984EFF73,SHA256=9EF11E504DD254F07E9175EA6A4CA66A1FC3E66A6700673DA7465C0A35A2B8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.929{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.194{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EC55B857FBB67B660B607EE6DF828E,SHA256=F1FEAA1291A17BC2A900739D5782C66A4965F2B4516016C27D59B2DF771726AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:09.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:12.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445DF820712CB62D5D865F0036FA84F7,SHA256=72DCED00B52D9C10E737BA1A8819DC48504A45F72A677F1CB3A9DC25465E8E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8C7F3C0FDF7B310003FD7BD3128556,SHA256=5EB11B8B2694869BBE3CB72666FB86B817B68D903021294330DBEEF590A40BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA69D81F13CB08FB449EEB3AD7551917,SHA256=201A987D035D23E5EAFCA9A5F3D61EB4EFB99022830EC61BAC8D50BCF7E9EEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.228{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011B8FA417A444ECC562403DE2EAB0D7,SHA256=FC7A22F3E726BB3A834B4B820FBBE440CE26452FAC795FAAB28BA4256EEA3C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:13.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB53586A98F81727CB86D8E23EB8BE,SHA256=84E835C56CC28A5ED2DEB491D85A89AC0025088D1780DDD038E8B731D444A5C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.570{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.303{80A11F3A-6B19-6127-1604-00000000F201}45282708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924E7DD86B33D3D336BD2949A80E5F37,SHA256=EA11A465E4FDFF292303E4A55DCA6A1B046F67FD46C459D80D58BB2C3A283337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B69C194A6631042A3787A1558BEF1,SHA256=601D430D5BE865A65AD05DAB11924C11954D118E7CE5ACDBA7EA1CD5AFDB7D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8C7F3C0FDF7B310003FD7BD3128556,SHA256=5EB11B8B2694869BBE3CB72666FB86B817B68D903021294330DBEEF590A40BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:15.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F2B68C18E0DD423FCA9C9432E9492E,SHA256=8316FC0E67C2C891756F151AAE49774E221893086A96C8BA7969489D88F822DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:15.272{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39449F74C398669174671886FD4C71C,SHA256=8402CE94FD89888E399AEF0E05F96E3A3BABF12427F8275523F495468CEC64C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:15.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD773135BFAA8BFD66D367EC7FBE3EA,SHA256=36756E9343F41A52A591C3ED623BC0123B5A77FB4052CAF7A439BD0998B17727,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.820{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.334{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463DDE8A89D67E5953D0C87CC58A0EF5,SHA256=A3E8658DCF8B6CC5858DD45148A15F36E9F413FEB21D115153A0226A9AA3C656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:14.041{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:16.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DAFD503A8C01338B2613F7D56869B8,SHA256=1846D3E654DAA321AE15C6FF0C6BD1A00D7CD31F5ED032F0C0A7C018E1A735C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.668{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BF069CC11800D2A77BC46EEE031A272,SHA256=B665578DB8AD2F66B6F13911A2E785EF29C6F8F3AB75CF9B96ECA8F787A9A1B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.835{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.553{80A11F3A-6B1D-6127-1904-00000000F201}3984420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.475{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CE5C4775C0AF2A7AE29FC13C2D1BFE,SHA256=A5EE983ADA1E3FAC37D75B7387907DA75126007A07B0F51493A0A5DBD77926B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:17.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6656D9B3995132A7E2347E31ACA47F89,SHA256=E6B38551BF86389D98F67A170288908C9A570E909592F2742A817EDD46314473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.335{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.069{80A11F3A-6B1C-6127-1804-00000000F201}2692172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000272769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.091{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58176-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.090{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58176-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.506{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735477DB1BCF62FFEBAE013000337A4B,SHA256=7232B62857929712668D06F261F23DD67CCA64C8F69C3F47E0EAC892F6DC34B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:18.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ED1E6BC77DB396CDA103D3CD567C0F,SHA256=89E8F3B9F0455E56ED72DFEEAB4BED6CD5025CF492A104BC263D8939BD056BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.022{80A11F3A-6B1D-6127-1A04-00000000F201}41563164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.537{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C224FD357AAD6ECA2AA90DE5C3F5F38F,SHA256=954AA7CC0C67D53B9D2555E9FC9C79D3CD09D7AACE7F5CAE36DF614253457550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:19.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3FBF12DD2D78527A63F3DF6EC3C8BC,SHA256=5ED0986B716950A8AD512F35667DBC95A896543A65C4D385AF5176D540DBF9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.507{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:20.553{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E25D4C594C0A2B79406D7FF80AE4D5,SHA256=51475147B08CEF94A52D671776833B5068A9940A9C4B555242702BE51891E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:20.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3221C3309487D8316B5AEE822F210F6B,SHA256=6F94C4472BD1F6E97C78A8C1E81D557E51E19CA772E76F5C1EE42A0490C4CE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:20.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2783D3D8095EB29B0A4498DDDEE940,SHA256=BDD0BDB449EDBAD0DBBE6EF3FED3BDAD641A42DBE646E4B3550572D667AE69AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:21.678{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA46DFFE65DFCE82D19480DE77FE9E51,SHA256=4908C7EC61C1B09ED1DA6F537CDB79F75F4F3479340C6C56BE2E27DE0471BEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:21.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA997674DE3630C19841188817077B82,SHA256=6CB08E95929ADAD2BFA25D12854E4ECF785723A660A091175A87BFF568E57024,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.684{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:22.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86A6EBCBF57CBD01F36ACDD6E4D5D90,SHA256=832209A032CF09D50FF3669BC4257D5AD09986D0DD669F91D670BEC5C51069A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:20.010{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:22.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE660B12521A51B5EE7BC1CE07E430EF,SHA256=90E8402025843ACCE94C62B715CC7760F2A65D3C6E73C4906E1F98D648C3148A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:23.709{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF37F5415D0AF633BF28D8B02A9B5CAE,SHA256=91E15594AEA65BD222B447D786881FDF0712530D9D326017CDDC206C0B883CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:23.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BE69A3D426F4BA3018852DA0B1902,SHA256=21FAB36E3A90B2793E9A3043FFB7C666080FDF9B8A55EBBA6522A551E68B4690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:24.725{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E0C57920F54CEF275103B6D6A5FC0B,SHA256=E697F6103DAC9D2C30B5C8C8C12DE82A775A966B377B4001C504489FD01E695C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:24.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04119A4E6926AB4BB5269BC2254E1937,SHA256=62F8471D01E25B0660812A5C5B3B002BABD97E953BB0ADC4B12E4E1A5A947523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:25.740{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7C04ED9BD120E846A8D5DC9EF0C783,SHA256=1B0B3F9B1BD8D01DB39FA9CB4D02C35BB0B05661435CC511F09DBC9F4978C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:25.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837A098CAD3E655CAC76AE69C8004117,SHA256=1DDF2BC1FAE43F3B45918934477B15FD3017C2CAB892B90FDEB2636779BFE794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:26.740{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EF1984515977B006EDD34CC2060701,SHA256=35C0AF678450D8574AF235009BD8925651BA71CFA4E81967F2A2564BC720FA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:26.053{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CF16082DCE98B943D675581BD358A6,SHA256=C6DC532F0282EABB99DBA3691F4CC012291AE4D1A7271E0E6167F1A870926DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:27.756{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192B3767960FE7AE7008806B65DA8CA1,SHA256=90CC0BF8B54FB2A052B124008AE12B2C565E0B991A845E8ADDE42FF4DB4A51A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:25.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:27.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960CDE5024D32AD0126BE7E542E7044,SHA256=EC6C9AF892FE4D50BDDB6B4A24A8F7EFFE25CA38D36976D7253B778FCCB51CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:24.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:28.772{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF344D6265698A5473136C637FA087BD,SHA256=FF6B919215FBAB2A2A2420A9EC7FE10ADDD93795B6EFB3282C138E32B21E751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:28.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971C229EC25D5D181F9311537F081038,SHA256=492AB8B970103BF70560D7E35E7545C20134E24CD7E1F8F967C8ABDC8BD447E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:29.772{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F5F7758D3E7E7E077F4842441C134B,SHA256=B9856A334DF2726927E60704C02C1FDD13EAF3007696AD6DA0E709587847A68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:29.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FCB9CEB46E9579F10B905597AFFC46,SHA256=0E2DC45B4F8258F3E03ADD94C14063AA1D65A781970C8059F231354A00731EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:30.787{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3FE7F4790E15CE7F8BB483FA4AD983,SHA256=AB0F747AC5CED8C37DC9FA660236A54E1BBEEB763AA8DE9D2FA3ACDF6DD626A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:30.162{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C5D7432FEC090C73623E74C1ECC6CB,SHA256=B17445D7D406EFAB49E6CFC5A24C37F4CB23C4CD9C598A61C00BDFA60AD35D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:31.803{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0191E065ADF577D5B9D69088FCC6A001,SHA256=483BC64E32C75D2FF92752E8A7468DAEC505D1D04DEEFF464350157D4EF65985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:31.162{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1071C650D785767D9871E82EC411DBA6,SHA256=492111D2762B787CC8A79487AB77B3B3EA98D02D368937FBAD23C22B2C76C632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:32.818{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BAEAF5304C78BF860EB3A676545437,SHA256=0294C15EE98FC9B2706E945EFFDE19995EB530049D2FDA88396B297414E2A623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:32.178{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F81E06B11A1A3446E0782BF37F579C0,SHA256=B98D54F43E6597B0760C4B6C880E5C7085DEEDB6243307088F5CFA72A9A230BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:29.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:33.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22478597DCF35D9D08BD6A0AE3EC1BD,SHA256=719A8B6C8CCB1A829FE7843D14E348F641846F3499CC98BC826782CFF46A45B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:31.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:33.178{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6120D0D1F54F9C6EFF7794A684ED7BD6,SHA256=167843364E0C19211B019EDAA9D23ED5BA94BBC4648156C19FB49913BE2AE8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:34.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21AA8B082D50104722D1701E525F2AB,SHA256=299BDB37A9DDA8AF973A587A6BD2210B12CD56F83EB43D97B658F3A981466DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:34.224{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3E1186E3D077F5D5888372939088B2,SHA256=99AEF6792D7F6711FC8B5AE0939DDA06CCF0A3BE8563F3A30A2AA5617E36BE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:35.881{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D0B4DEC3E9B5A4B3965ED9F1D15B4,SHA256=F04132CCD369006371C7B4F47266184942E017B8F54D0C7FDEF3C846B01DCBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:35.240{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6346C5A83A29DE742BC649A134017AB8,SHA256=0F182E10988A698514C30D734FDFEDB7ECCF754A3CF7E5A69BDDF93E37D9A49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:36.897{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D410A6E432C964CB2532086BEF6B4B1,SHA256=410E8F55963A27F0D6F718635F095593B9A66451A09ECC17152545AEE6B600C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:36.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3302E5E93422FFC0E725E993833C6471,SHA256=9AC04BAF7BADFC7C3F18098E3F6B3390EF8C229CE16CC1ABD608ED81BA83C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:37.912{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149320F59F5ED2FD684B6CAC6447C45,SHA256=DB1E7B88B913BDB488049CB3EF82C9B77655D3F458FC01CF9A0F57DEC57D38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:37.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373775D90A04064D4EF31EBE5E8BC344,SHA256=7E1AD61E58868BF542328A9F10D936123B244E57FDD9F40AB90D2F59A6D77410,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:35.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:38.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70D776A31FB3707C9F652989A7FD21,SHA256=C8970B7E146544D4A9BEBC155E86329FF8DE5062BD3F005C5A32193953C508DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:36.182{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:38.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E1F698009064557C67F52DE6F3B6E2,SHA256=52E39E2AA3620D6EDA1098077FA577120A8F88CCF158062BEB549CB5D9D0651A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:39.990{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D93E570B870A1C1F8D10F4CB049801,SHA256=6FCD9ECFC2A0ADB4071D20868DA4122835788FBC2987B095E6187C5759AC6983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:39.302{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085DCD0A326A2F8A95078FA517DEAD17,SHA256=0E934BEE6E75A6180B06A0CD79750A40D5A0E9F53B3373E45B898208012511F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:40.990{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C658708C139AA43FE16E4078199DF4,SHA256=A134154BE1812B50D7347C6F391B2D825D6CF7C29464D01364776A8851A5C279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:40.302{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91B220F2FB9D6FE2204BBA01FED5272,SHA256=3E97811B00B5312DC3375AEAB0FE30656960CB6EEDD348CA455481998EE631C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE62BA56728DD10C2D2078B3EE09148,SHA256=4972255F875B17697E0D1C3CA21D105F9EFA95D93255472789E069758CF302C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F14-6127-0B00-00000000F301}6322476C:\Windows\system32\lsass.exe{D371C250-4F14-6127-0A00-00000000F301}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000231889Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000231888Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000231887Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000231886Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseTerminatesTimeDWORD (0x61277946) 13241300x8000000000000000231885Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\T2DWORD (0x61277784) 13241300x8000000000000000231884Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\T1DWORD (0x6127723e) 13241300x8000000000000000231883Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseObtainedTimeDWORD (0x61276b36) 13241300x8000000000000000231882Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseDWORD (0x00000e10) 13241300x8000000000000000231881Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpServer10.0.1.1 13241300x8000000000000000231880Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000231879Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpIPAddress10.0.1.15 13241300x8000000000000000231878Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000231877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE10D678AA76FE4EBAD5B936089E3D31,SHA256=5F1F28C1C564413B62B01E52C4BE4B51992DC5E7877643A2642AB2DC144BFE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.646{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000272867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:40.793{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.006{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67FDC1AA2F38338F877C964C04DE5E2,SHA256=57ABB0BD4410779A51240A5624A2874D9F7D0FD6913BD5667A54B423FCEF3FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.372{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98d0:a608:d80:ffff-49804-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000231899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.372{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:20e0:2601:8273:fb42win-host-944.eu-central-1.compute.internal49804-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000231898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.353{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000231897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.429{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C35AC6C3EA3AE1609F25F9A5E982FFA4,SHA256=A8373A35A6DC79D9DC705B0D57EBC133CC61DB33DBF04ED18EBD8D0587F367E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.386{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B709B9DA78005CBB7D75B1E89FFC4669,SHA256=BB8AB576E6EE786CE012EED18E40A027DEE7526C93257501CB1771C4E3A0B297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.385{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36823A7D6EC8254ED585348363033AD2,SHA256=1B20381ACDBF4BD1437E8D2778F14B9140D7B4F967198293932058CC4FE5CFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.384{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-116MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.319{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D8281B8882C04655F64664FB38CDAF,SHA256=5CBDBBF0CD3C66CD9FB11C4F3D9B83C276E89673E0765908CB06F2BF66F21C41,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000272882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000272881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000272880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseTerminatesTimeDWORD (0x61277947) 13241300x8000000000000000272879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T2DWORD (0x61277785) 13241300x8000000000000000272878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T1DWORD (0x6127723f) 13241300x8000000000000000272877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseObtainedTimeDWORD (0x61276b37) 13241300x8000000000000000272876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseDWORD (0x00000e10) 13241300x8000000000000000272875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpServer10.0.1.1 13241300x8000000000000000272874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000272873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpIPAddress10.0.1.14 13241300x8000000000000000272872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000272871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E20BA5B7965CCA577D30F03BD0C710,SHA256=8E5A51D841860CEE490746B0DB2308EB47897E679DF3534EC80336E6A4A9D72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E6B5FC54DF8D0505169126235384CB,SHA256=1494B77331E9258E85CDDEBE0D7AFCD252EA831109DD9F7534FEA3A8FAFE612D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.021{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4AA1FE863ED95F94FE65B2FE86AEF0,SHA256=EDCE47743475A986875909FBF4A1841AA251B0A0E4C1691E3F212A28A840CFD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.105{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000231903Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:44.584{D371C250-4F15-6127-1500-00000000F301}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a64-0x2b601178) 23542300x8000000000000000231902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:44.399{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:44.351{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB0A98A8C1FA519B7EE1CAAF32864BC,SHA256=5C93974D80435CAC8A31570B7D872479715969FED43E7FCD7246780561FE252F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.216{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58182-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000272887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.216{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58182-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 10341000x8000000000000000272886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.615{80A11F3A-4F18-6127-1600-00000000F201}12965056C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.615{80A11F3A-4F18-6127-1600-00000000F201}12965056C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.068{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653C1C98FF7FE09C13C00D5DD03B9AF0,SHA256=4A079EC4994D2C05F179D68ABFAA9E06FA71CFC797A203E376D432EE3E19658C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.093{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-944.eu-central-1.compute.internal62100-false10.0.1.14WIN-DC-39153domain 354300x8000000000000000231906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.074{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98d0:a608:d80:ffff-62100-truea00:10e:4883:c420:415e:c3cc:cccc:cccc-53domain 23542300x8000000000000000231905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:45.398{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB5AF7CD35EF101C04ED85357CDD4C7,SHA256=608C38FA383D5CF5E61D145EC795ABF18EFDC099AEC0677B50E22840242E7AA4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000272907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000272906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000272905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\FlagsDWORD (0x00000002) 13241300x8000000000000000272904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\TtlDWORD (0x000004b0) 13241300x8000000000000000272903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentPriUpdateToIpBinary Data 13241300x8000000000000000272902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentUpdateToIpBinary Data 13241300x8000000000000000272901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\DnsServersBinary Data 13241300x8000000000000000272900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\HostAddrsBinary Data 13241300x8000000000000000272899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\PrimaryDomainNameattackrange.local 13241300x8000000000000000272898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\AdapterDomainName(Empty) 13241300x8000000000000000272897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\Hostnamewin-dc-391 10341000x8000000000000000272896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.881{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000272895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000272894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.705{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.15WIN-HOST-94462100- 354300x8000000000000000272893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.426{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:81dc:ffff:98f0:14bb:81dc:ffff-64833-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000272892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.426{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64833-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000272891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.418{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000272890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.193{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=542CB8FCF4C57C6DCC39728A9EA3265A,SHA256=025E8D4BBF4B478C3871CD2BADB297A53AFB44C2CA3FE413B470731517BF0FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECB19D429D5C70ECBDC65CB5D4B7585,SHA256=856359B2756324E76BC26F6820CD89FF62E893BA48184FC46530750C91A95DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.540{D371C250-4F15-6127-1500-00000000F301}1088C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000231908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:46.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BBB42B94DCF856A705D0DCBE700121,SHA256=7E771D0BCF536F455A0112837894839CA034F448B76AE65ABE3EE91FE4CB6E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.943{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E20BA5B7965CCA577D30F03BD0C710,SHA256=8E5A51D841860CEE490746B0DB2308EB47897E679DF3534EC80336E6A4A9D72A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.622{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local50835- 13241300x8000000000000000272919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006e03e1) 13241300x8000000000000000272917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xca59a72a) 13241300x8000000000000000272916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x2c1e0f2a) 13241300x8000000000000000272915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x8de2772a) 13241300x8000000000000000272914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006e03e1) 13241300x8000000000000000272912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xca59a72a) 13241300x8000000000000000272911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x2c1e0f2a) 13241300x8000000000000000272910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x8de2772a) 23542300x8000000000000000272909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.100{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC17F34AC410C66E9F60469021C4D6A9,SHA256=7A265F68848DEA3FD50AE67623CD9ED36E128FE15F93F65CA707AAB1DD1CA379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:47.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE4D9BB56C10EF48663AE8B61B1E9A5,SHA256=6A50AC135697B87163C409855BAE1D32D59079BBE2DCE3ACDF19BD18C3507BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54232- 354300x8000000000000000272932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54232-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domain 354300x8000000000000000272931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54260- 354300x8000000000000000272930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.457{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63947-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.457{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63947-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.456{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local51541- 354300x8000000000000000272927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.455{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local63946-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.455{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local63946-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.453{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local51007- 354300x8000000000000000272924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.453{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local51007-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.452{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58592- 23542300x8000000000000000272922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:47.115{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EA9E528B5F29D85AD427ABCDD2D63E,SHA256=DAFE8EE1EB3DC6E62C4C7F9447B25D70BFA25528C20941C5353598B56727C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:48.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F63ADC1CB033CF67A418042283F258,SHA256=DA4C2023490D1D8858D67AA8DC4A68669823E1C07890DD3E13D3013DD3E5EFF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.606{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.464{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local55800- 354300x8000000000000000272938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local58592-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local58592- 354300x8000000000000000272936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:81dc:ffff:98f0:14bb:81dc:ffff-58592-truea00:10e:0:0:0:0:0:0win-dc-391.attackrange.local53domain 354300x8000000000000000272935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51403- 23542300x8000000000000000272934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:48.131{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1206F1DA20F1C6C4586A937EE9A349E,SHA256=0687DF423AB8A20872F862265F928584E823FE0BD40403AAB660EADA2C242F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:47.232{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:49.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B2389C94248B475310300C64DD16D,SHA256=EF08EA32555637BF7B141D9AB6908D6575889C6AB44ED5CCC6AC0F0BFCE9997A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.615{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA646D66A7667AFCD8FE0D50BFCFCDF,SHA256=3F0896A1852B37469654DCA9A9AE9EA58ECE2C0031EB5C55ABD3EFBB35A81352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:50.446{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8D865354F4082D54E906D689D43BBC,SHA256=ED26AC56E2837B392FC878383544D2C7E4E694A8CC1EC4C9F3CD15C5B676B697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.168{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:50.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE4E86BF1DFD79CE2282D9D5FC1108,SHA256=2171BBD2B4114DC1EA89F542DE4CD51C2A0435F01E5A39C11D7DE8E866B6D0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:51.478{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C5D7F8A523F708DF83E81DAF277F5,SHA256=E082AF8505F2B2DC631CDB4CA0E11043546DF1A5112EB6DD85B4F8619461F4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:51.193{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AA64AB74092FE4C8136BA1D30F0C92,SHA256=8DDE1A3CA46E966974C2AC777C7AAFD1D2AF9F075BBD63037C0BB5AAE0547B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:52.540{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8D0173A36415872AB5C515BE096A0A,SHA256=806E7987B271B8833FD91497C74362209EF71F5D175B507CA70261346E96D957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:52.209{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A13A0B36F9483FB3418A2F3D98C3A,SHA256=7F9E5228AB1111820F1B66B8BAC7447AFCF3133072E149CB9B2199607C05A848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:53.571{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E082DA0BB78977BC6B554AE41FA69237,SHA256=6FA30FF5A8F3ACFE0D8C4812DDECC31CB238040248A4CAB4BEF594D49E67C051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:53.225{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7833955007D934F869AC6F0609EC484,SHA256=9A57DCC32BA47EDE8DE20420D19FF667FFDFB302914B6E5DCC4A8FC7F2C76992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.931{D371C250-6B42-6127-DB03-00000000F301}33842508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.618{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC6759E4B608F9D053046A388F599BE,SHA256=EEF4B61560941C5BAB10DE80D7E663990BF3052572EFDC9A1E04355B6BE32716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6289FB6D167C0A43248865E56EE83332,SHA256=C55AEAC32B16871350AB63FBDB2A17CBE95C12152F72B1FA0DAFF8CDFE822D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BE4616C4E7368624A8B3BB1A238031,SHA256=1148A25BD7AA7E3EEA19E1D99244EDA9BE94CA78A61697CAD6A058A4528A754B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.240{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EB16F4065FA741503DCC36C8BB4C83,SHA256=0E6756AD07636B108BFAAB740C7C76FD88A5D748B0C0558C7DD7C793A8FC0CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:51.699{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96E62F8378BC92866D1B5EBAE61C67C,SHA256=A7D69985FD28F4C420B0D55DCD84F233C482CA1B1DC2580446069051EE23B131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.871{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA72F7C7D3945B8ED18A51E72350F02E,SHA256=E2F38751AA22E78EFC4D18B8478622F6A21ABA54CF922B18DEA80A0FCB98BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D62EA065FDDDBDBFBF58615E5882B2,SHA256=64BA994C1A6B25566964CBA59684E3FCAC1CCF69BA6ADEB6182F7041D70DEDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:55.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A37ABF12A66FE88CA80FAC8AFB0449,SHA256=76DD8DB1CBD6E9C2A0E9415DE3F046AD324B8114A4FEBDC15221DBCF695EF123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.229{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.978{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9DBBAA5B042D9ED46B6D1D1814F5F4,SHA256=34AA6CA8AF54DCE4F72DFFBFB3A790148745B1617528DC2BE197371A52C5719F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:56.271{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01A4193665D6F260A2680FF0C3BDF4C,SHA256=A28D4F099A72B5C423E6D68ABE767032E2B26D78EABF65DC1D84E8BC230080DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96E62F8378BC92866D1B5EBAE61C67C,SHA256=A7D69985FD28F4C420B0D55DCD84F233C482CA1B1DC2580446069051EE23B131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=8D624CE153982CF24F8787FBD1E084EC,SHA256=5DFAA2E0D1592568C1704B7E77EB0FF1D4FE36E07AB6578192B6DCD8EDAD5BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=A4B12F1EAAA451C3CFFD8FBFEBFB4FB3,SHA256=83C86B6E64AF7EC1BE6A2280EF47CA74A7D8EE8290726BD8A665917E8C306D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=4631A88D418C821C99C7C839BD720FCC,SHA256=E6B8780AF462CF42B8D3C6DA261D831199774024D15C3FDD8D008128C0EB3BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.462{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:53.185{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:57.318{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23427E03CB12A4107B4A81E14CAAE7B1,SHA256=7E40B97EABBE61A4722CE8A6E34750E8BEAF98BE991D3F5E70A3F8C454F60A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:58.334{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87A6CAB84694D95C71E6F0FB76D967E,SHA256=C44E3100C68E1E49515B57C1CED3ED410AB1E6F526804ED2CB5E7CF62B1A44A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.337{D371C250-6B46-6127-DE03-00000000F301}29162492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.420{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B2A6BABBFC915173A09FCEA90ED4A,SHA256=805F74AF206188BAC5F5DAEA455EC2AC4C4969B092828B18B05E4148C2F02549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:59.459{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BF8F77359A276C2EB9067C4EDE50C8,SHA256=D5244267424831042EE4B1C266CDDCE4F69FB989E6C4CE7FCA993F88561E3D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.712{D371C250-6B47-6127-DF03-00000000F301}23762120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.306{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5208E596482CB31690355516512A97,SHA256=C025B1DD243325EE6AC42311D6B3CDF75459A04469207670D5BD91DDE2915436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD37429F1D37DBDA8F00588748714FDC,SHA256=2C8F76AE292B064DD5111C0EDB3378416287614159591C4EEA9819E8230DF9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:00.540{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-116MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:00.460{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57971975648CF434FEA05B0943423ED,SHA256=D8D55A4CBD6675D9D7E12775235D6B144A574B3ED1198B0BD6EC71E540F51D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1175189289BDF37FC0C05F4EE5447E3C,SHA256=CF8E3CC256814ECE809FDB68901BD69D38B132AEF0E1C80B76D8CEB9CC10CB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.353{D371C250-6B48-6127-E003-00000000F301}25003484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.197{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B806FBCA9358E871CE6B3F1BA75BBBD5,SHA256=BFC669C5EF859CF0CAFC76C4B096DCA37E4005A9AC9E3829DAC1C1C67D2D1A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:57.668{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:01.555{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:01.538{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FA52955AA96D438413ED7B89174B13,SHA256=693D0ABCC85AAC82FC5CDBF7E1075C842FE3677E73BD613F91522CFB86DFB2F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.216{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:01.056{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA876070CF7162322C8395DC29393186,SHA256=8E755B2AF6637C20818AA75F4B56C281FF11C701B21504928BF49BEB15379D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:02.556{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CED4D2597D7C2DB50CD2DDA5A241EB7,SHA256=530A8F1B9613D61C01D73222C3A82C56B182A71A9C451C3D5A6573F031F7651F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.071{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F93FA93E4982783F2884AD895120D8E,SHA256=799642DDC6498453E82CB74EC922C348B2D07C279912A3BD23FE1E2BAF16C3CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:03.932{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a64-0x36e86702) 23542300x8000000000000000272963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:03.588{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7D4E520DB2FD53ED63819430AF788,SHA256=3B8B0B8170F9CB0F402792A9C1ABBB6EEE5BE1001A24D187EA64DE3800DAB0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:03.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8734A263125188BE727E44B4B82C03E,SHA256=70556A8BE5F7EEE06F8D7A0F3CC59B0CE4A2795A9BD30EC4F204BD4BEC8A271E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:03.087{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA9D4A9390AEBBC54B4BAD6E906277E,SHA256=FE2ED45FCFCC6E51B7B3B80D4DE50E9478A7202310C74028E11BA20E03DFB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:04.651{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2B1D27437924E6995E2C3D03CA3D6,SHA256=4D65B93AA8DE8CABBD9207D38AFB69123A17E45A1581D48F54E888C6B6355AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:04.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70F824C3ADBE41411817D9224BD0CDC,SHA256=84381A9C6B1A62003F0A71EC96E683CF5F043E18180F420F89E3A45EDC8E5B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:05.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929B7B457310EFDAC4C8798E4449DD13,SHA256=86E82169A490016CF3AD37A1DC5320002946341E5ECC4D78496B17674A421AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:05.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2EC4CEA934A38585BD7FE57E3E0BC4,SHA256=78630E14E0E88ABB3A028BEB80AC284A6E512B74A0627C4421F6E9037B25F945,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:03.484{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x8000000000000000272966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:02.812{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:06.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FB6AA854E1DE2F8DF002172D31E896,SHA256=042847F8D40364D7A8BFE4668B9925C09899D037E2D5D6678C350ABDC78FE132,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:04.029{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:06.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E4BB6BAB2AE8811BD1C797ECAFC282,SHA256=EBBC9DFCCED4B0DF32547AC8DB77DCC5E443CAFCD675CD92ECAAFEAFF7ECAB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:07.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70217EB5E73996944B54C542D1A8BC4A,SHA256=A21AEE9764F0E1B37388CC95EA0B2F2CF5A8963262CB35E83134E2DC59B54B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:07.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6B1E90B20B8089540C3BA5466C42EC,SHA256=8F436A1495322B77EC2D98D95D2A9DF136DCAC71FD59665115285AA2FAD56CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:08.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F70AF3E117E443EF4EE005D716B7E6,SHA256=D40DEC8BE413DFCBF99A35CEBCF3F21EB16C60C9EE2EF3EA93687B9E47599C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:08.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9EF947362482795FD08625D851A5DD,SHA256=BAEE7270D990FE26D81CCA2EFE10321FCF8FDAEB40BAB95E9BEDB0B4253D8672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:09.807{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EADD9432F2D7F47D0D221945756914,SHA256=753C8A19E6945BEF2B3A99F69A15750CA6A7707501961E463C9773FAE45605AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:09.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA29B23CD985B67B029211180589E366,SHA256=4D2AC759358D750A219F803E91C7D8B8DA0F3EAF5EEB69722B0B1C9A059762E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:10.823{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5ABD81C873BB4321A981F0FB36515E,SHA256=3FF659B71407AEB90E98AFAF0F62DCD03BB224ED0A0BF5F858AB892014DA51A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:10.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4499CB49E03E599756CFAF27239995,SHA256=A13A55563EDE6FEA6F88786FC975A5D08BE7D5DE901D4F743E6D37A100B69BE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:08.657{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.902{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C145D13AA0AFB59B7B86D45D0B1032,SHA256=44E1B629339AF78AEEBE1698C61277081ADFC228A0348DB1FC28AF102CCF2AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:09.170{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:11.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E45D04596F746AE5485B9E076C5C3C1,SHA256=7F537F828F4C09C40943EA7083FB4F5E476FF792D31AF48BE97625FA65035588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:12.854{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910527D7701B19BCE8E00FC976D62F7,SHA256=B7E0A0A5799002978244D55323349635012D886B1B86F400E50F63865DFCAB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:12.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7274A0D6AD1E1B8927DE0197F36109,SHA256=EB909D6650F10F2A45C8956DEA91879F83489D2E0FACC3E01B0CFD154B59AC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.869{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34FDAE46585ACF00CCDA82233DDA342,SHA256=1AFAB3F66ADCA8CAB14388A05E6194782FC29283BDE6CDF2698C6971C6BA7940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:13.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330563D99BFCFFEEAA8204D10115CCA1,SHA256=F3215E2948151032AD5B85403BD7BF5DBCE83B8C6B1C44323F7C3FC4F09F89BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.822{80A11F3A-6B55-6127-1E04-00000000F201}34924516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.543{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE65CBA7CF88B7CD6DD9F6653F3CD24,SHA256=41BD3DEFEE518E51E1A105DDEA3B36B21CE99FBDB4DE110F8153CC916DFE515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6289FB6D167C0A43248865E56EE83332,SHA256=C55AEAC32B16871350AB63FBDB2A17CBE95C12152F72B1FA0DAFF8CDFE822D3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.043{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.885{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D5DD6CA1B6355515844B4442281942,SHA256=C607F8AD9866447F1ED1748BDB2588CCDCECEDFC613AAC824DEDA3D12A65B181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:14.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29020CCD42BB401F945DBEF76C8104B3,SHA256=94DC544A6B3FF229CF4DC058B5A6B0DCDF4BAB300810E82E9725F200FB4F1E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.572{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE65CBA7CF88B7CD6DD9F6653F3CD24,SHA256=41BD3DEFEE518E51E1A105DDEA3B36B21CE99FBDB4DE110F8153CC916DFE515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:15.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC8710D110B0C446CFCBBCEE9A39E45,SHA256=E1DF098B8AA569BC7E272CB9C9856AD7C9384E1B441F1529D3B13D78F3E0F402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:15.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69A50518A5F4282D5173DB5CB2542F9,SHA256=ABB5D0837EED4AC55C74EE765FAE4C914CEA1E7CB693F9D3A77F74AE43881961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDEE9A5779053F56C65C29E12DC1AC0,SHA256=AFBE713D58F056A8E92E9584242E6811B57AA813F62678C77DFB949EF3B859D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:16.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3DD3A8A97560D1F7E1A6497784747A,SHA256=160F0119975A15156004C2B4AE0EE6765CE6256B214662D7630FDC7B623FDB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.823{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.094{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63954-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.094{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63954-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000273038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.995{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B629A27E52BD7D69EB1CFC0A38C12B,SHA256=D3D761B1AA3E94B03272295D8189EF97E9997D4DEB20DC6F68F780B79E23A737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:15.201{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:17.212{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CC7C7C3114EF666368EF1CC7EF99C5,SHA256=939A9CDE1FDCFF701C1154FA406F6F399FB1443650C68C0075F0F819EB57EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B72A54C547401121018ED5418735B6E,SHA256=EB8D6230E8540D4A64B846072E9FA1DF4799CC245E632E6061D52C4F7BEC3298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.729{80A11F3A-6B59-6127-2004-00000000F201}11204756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000273028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.688{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.495{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.072{80A11F3A-6B58-6127-1F04-00000000F201}21483288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:18.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39194404CB3D8BF5138452374DD39AA,SHA256=CEEA370A8081980ECB82F87A3C501536484BC79A65409810F7E4D2A142EAB7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:18.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B0DE3728626D762116C44CCF55F063,SHA256=FBA1A3A8CB08EC15359B4FB26F57BACC825432DD8DFBC961FFDDF35732192792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:18.213{80A11F3A-6B59-6127-2104-00000000F201}47601160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9643F59F89E8DC463C954C4022A783C,SHA256=15AC1D2D49A15AAD47836A6BB76EA0D2B0AAD9AFAB67280DBCD86300646BBBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:19.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473AE3B07262FF244DBB453E7929B372,SHA256=5AE10A374D897B635A5055A3D5AF2991AB75574116EC5FECF8650E4C3FE4B9FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.511{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5831A0D89F105405CA1A1DC60D40456,SHA256=0FDBC0AD383DFBA003BF1E3A3FAAC0DE6FE669A6D1D816DD6780B1B200FD9571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:20.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C349F8AB365B54A6451ED9CE9E28A91,SHA256=15FE415C0370DB763DFAEE9FC83B7E4B1480A736956E4B3FFE5421F578F81421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:20.243{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C685DE540E93CE6E2C3AFEF445EEEDA3,SHA256=9267F80492B63F0CA427AE83043808E281A73DB821E93667EB0801DC84C69AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:20.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF94074FC35A38F440EB87CBCD643D0,SHA256=375F68F967CFA345DB93DBB79F4D73394621650B36D76239D25177941F709D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:21.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D523DD9DDBBB3781887DB30CE58C336,SHA256=85C751B3813A27B35BC2709EA3A1D773A109E66B29903F0DA2D16DF81523A5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:21.259{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D417E9CCA3E3EA713B02387D8C17E66,SHA256=A02A47452AF42119F839D34406571B326133BA99909213C88787FD40A320A4ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.719{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:22.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6587E6219A5A6C4649F1D70425ED55A1,SHA256=1E5C9C2A1C77E188E712571B3968D323BF54F6A1BE733ACC635B8D88CD640705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:22.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16D0B55332638A3B14C57EC442B9D2D,SHA256=DF8C1ECB1BD25ABB04AE4FC6AC4147D88BE598DAE455488A8B3397199EE6A2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:23.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E249EF0D23D17DBF6652015CB953744,SHA256=D3A4F990E7B183FF4691E11300292ED72D92D8FD65CD194A79856AC01623DA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:23.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C318FD257F6EF907D59AD5CCE617C5,SHA256=357E165BE39A5F243A1EC8819F3C81901560ECA1D27285826789F33AE22AD2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:21.217{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:24.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D669F282DB40CB5F838C1A3C02CA094,SHA256=1614DA742A1CF2646145CAE0AFA5B03A657C1FF7C2DFD4F52482D83DB32C75C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:25.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEB527A93BF7E36FE3D6D96E22FBBE5,SHA256=280C10A8FCD084A8FFA0380038A29ED69D22D0F075336D2C2691ECCE6D115191,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.066{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63957-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000273059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.065{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63957-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x8000000000000000273058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:25.025{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B3E5B0B67ADEF8691126A00A91FC37,SHA256=49B5250FA42E67B8FEE497C3FE693496B7640906EB993D3170AC1AE3A85356E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:26.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBCB0BE2051D0144BC8B7F34E4E924A,SHA256=3D9589CE29D442B4A383D6946F409E40B072CACEF31AA707D7FDFA68CD923AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.813{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:26.041{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0756A09B40C32333A1AFFDF6C25F878,SHA256=5506F945DBF64E4FA6DBC482EF5F937310AFE7C696F16593FEEC1D5AB8221DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED44F04BA8384C2F9F298AC716FF6A0D,SHA256=99EA93A09D9FCF658849F7970A633F4CB7B5B4E8892947EDC9896C0DAAEE80A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:27.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43563261DDB87A17FB6A2844E219E87,SHA256=A38C183D460B26B189F6D167B1038FE3F12B783C86B17FF4391078B681E6D8F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:28.400{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000273064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:28.088{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE85C2BE4BC66AEE928E8790D3FFFC64,SHA256=707B26CD25C0424D10580D5320B3508A59F5321CF25BFE384459EBACF2B9E524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:28.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B48F22ECC814D5F3399852C6D9C1A,SHA256=3582500A8DF41BDF7E254B08FB666B1C5EECC47B372235C68C14ACC26327279F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:27.123{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:29.353{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7568AFAB5D3866F7319E16313E072DC,SHA256=44A0E499BAE627B8F2DA8E5A1B8FE27CB08B974BEECB6CAD357D26E32A4F0C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.887{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local63962-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.887{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63962-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63961-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63961-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63960-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x8000000000000000273074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63960-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x8000000000000000273073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.862{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63959-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.862{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63959-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 13241300x8000000000000000273071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.525{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000273070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.510{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000273069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.510{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 23542300x8000000000000000273068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.338{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B6AA793E9DD16C1926104FE12C26B9,SHA256=6E5DCF3E14F452AF89C175418B1D8C4C7C6D9C593F3726CF5F3BC1578662CBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.338{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351756EAA6E884DB9A6FA62275A657FE,SHA256=2DDA2B20DD144E88F1388DD38CF8277ADD8CE63330FA7263FBCE40B21DF8AEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.135{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55BB7A38BD3E3FDB1643E6E18BD49C9,SHA256=5CE945E1CC141AB6A40F6E119DE65D60A22D8738FEBB860829D5A0692193AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:30.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5244CC5F9636E4F07C9F3B95D9B1D6,SHA256=DEA862E8E4BCA1A8CF8E93EF95A8D62890D6F791A33112AD1C5A25532A400AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.105{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63965-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.105{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63965-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.096{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63964-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.096{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63964-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.080{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63963-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.080{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63963-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x8000000000000000273081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B6AA793E9DD16C1926104FE12C26B9,SHA256=6E5DCF3E14F452AF89C175418B1D8C4C7C6D9C593F3726CF5F3BC1578662CBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.150{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ECC1C1F927C93EC63FCC91FE4B47A6,SHA256=E82CB41D0E5EC506306267F7AD31688A98A123E052D8F53F66B1FC20879F7636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:31.509{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB21FEA42A62123817AEE9FAD507E4F8,SHA256=6D396F09A4A83AF2E19B8D368500C40FC8CDC4BA7990517D932F4FDD6383E80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:31.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E32BEC0B97E0FD457857CD6EF87D01,SHA256=637126646767FF9BCE9352A11EC960DAD4C16E3399DB9507C480F9E2DFDB6CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:32.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD1BCF060995283F38A11767C83A701,SHA256=A017CA6E0C8A95F9F54F9D3299EBAC47E95BFF66796824047057D4BB44E8469F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.782{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:32.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD9DB793B26860D265FCF3DD916C419,SHA256=68FE65B5187D93A86A4728DE6F0552C843E40977F452552DE4B1A8F69EE34119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:33.556{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57360BFB0AE12DA165F7B96FC58DCAAC,SHA256=0541788A743F13718720DFD39A141198B17F2DAD4B06FD026A44F1725D04C2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:33.213{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B7FE9EAAE26281FB65F9F00FBA2260,SHA256=551A02B8A06EB7F2CBC7D21337EBB7099505F624BA537B1B1C2DB0C9065772EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:34.571{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB236A65C45DA0098DFCAE14A7FA8914,SHA256=C01EA455D345A10D8BBC4A9399E87614E7DC6B44FFF427FB3D998B99EF62962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:34.322{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA2406A8FFDAAEE856E7A4CB4EE46EE,SHA256=005D03F290873A1582775AFEAD40F77415867DF97B73C1094F1DCD7EA56DCA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:35.587{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3132E908A0816BDB22E0BE1DA33ACA3B,SHA256=70B89136A2B4852D55AD6C1553EF70FDA548ED3F40366AB6A4852D148E9BAECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:35.353{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112F8CC640BF3E267C8E4B1C422119BA,SHA256=0F2E33F674995E2000E6D2A31B447445FADD4E5D67C310F0CF091F456E7201EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:36.602{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D939ACF2BD51DF776D57593D495265,SHA256=D7C8C9CC6DEAA8BE3EBAAE64C8B882C88759AE7E55FD02D6D2302D31629B4F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:36.369{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2544CC4DBD672C021476170BB9FF35,SHA256=4B9B52A47B3DE8669CC64C6EA022CF5F3C8446D52839846F92E150FAAE90F3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:33.154{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:37.618{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB7123BB64C61529C1C78281A9D3EE3,SHA256=7EDA92DDEA247D723997DC486F67A083CEC3B66EB8BC354FB3B18496F12F28FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:37.385{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804F14FE7CC7AD909CFACB260406A3B0,SHA256=0DB0888CF60C3E3CDBAFAE98C2CEA191A245180B8EB86388699678CE9A67E384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:38.665{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743BFE9C51D8A009588A4F72FFBD302,SHA256=6895291FE6FD7671DD20AAD8A466440AF4A4225A4911DFA86784D3F68193EF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:38.432{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB37EFF4E1D728DDFC20A1723C850394,SHA256=33E6A59A49E96EE02C69F19DB1D5F2F288395855458EFE59B0A323A4A8EA491C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:39.712{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185E2A33F59D9B9C928A21E95D093B10,SHA256=FAD8BBA0E10681B2FB4D019CBABEB0E3E2B7031C0E0B5754D7D58106C5547A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:39.447{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448B2FF9D470DBA3CF6AE98D89469DAA,SHA256=646F68CAF36F879F985ECDAC078A15A8A44CFE00BCE9D7716AB8044EFD9A6368,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:36.782{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:40.727{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C827F904F5E01B0FE1581E48E722F7CD,SHA256=B15BB316E7D2A9545AEEB1184D26D0AD421F53A78A87C349DF0B4A964DF65603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:40.463{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827BD5A2F58042FD42CFAB194FC5EB95,SHA256=A4CCAD86A53AFD5D2B2850D679BC3FB483CF99621C25B8821C8BEF892BE01DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:41.743{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE58CCD7E17F8E64E11884DDCF11A96,SHA256=9B7DF9113BA91782CA0DA639A1BA2860C7157B0601C20C7CF3DE58483013571B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:41.494{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF315E71A5D05E2B264BCE5EACE8576,SHA256=B9200D4028A46020A0A88C2989E01B8BF2176A1170347380CF6F3892B1D62FE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:38.186{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:42.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21834AF56C3455DB21612EC7E04C2EDE,SHA256=D4F60FFD6C506CA29DFE791ECC28B4D8B1E98DB5A3D5C7CF72D526F795B6DF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33139854D55DF5777E9557B009A1104,SHA256=D37A212EF50653B0155F24D27760E109ADE3ACD50761674BD28DFD584C28095C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5C865B1AB2965480E3DCC9C0422188,SHA256=408A65889AEA55EC1D6D50DB9E80DAE9C6B1031E003561CBD45C22FE5CBD7E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0042EDC196ABA8110AFB913764873A9B,SHA256=227098FAB1513CA9D892B46EFB698F771B5AB752CD7387ECE591600BC288F613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:43.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E775EE23A1C01CD6173AFBB359D9DE9,SHA256=2BFE89F1126C895CEF384E74267EC0AE56CC9EF3DDAA599E8313F5E1AE1C9532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:43.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5625CD4A8AD57D550EFC8F90280457,SHA256=F6AD9EBBA3E6D7AA89A354CFE9AE00EF49D693B3AF7EB4AEDD0B1F296CB4CEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:43.431{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6463967EA8048CBE5826E1877925C0F0,SHA256=F5FCE3D66F1223468BA9403FB139E4E9ECB5EA0CEBB3E5F7EC47B3470C83A264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.918{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-117MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02987CB7F5BB232E257EDD6C75C4285A,SHA256=C0CB801ED92ED49EE5394184A8A066EE69D446657161BC8CE27958E0583DD62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:44.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFFBB33C204064E479E5657F64ACED1,SHA256=9CD6CB469ADFB326C964290B85F6202D380B411E9183CA9BAA892BBED0699909,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.672{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:45.603{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6A4C5B86A3DE25DC09B259C8DC032,SHA256=87745045D4ABDDAF11FF4D901E35799B7FB3A03DD4A7C9B7C4BB74A5458265F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:45.919{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:45.777{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEFCAF03D1CD3BBE707D23FA26B2E37,SHA256=9EE536BDD21BEB5FFE3BD7A65CB0A31D2D1B20F6448A348C8E626C7B1545F179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:45.197{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A6F47513ADE3B87FAE75A3D1E3D868C,SHA256=83EC9DB0B25810CFD04DFB63A8CB15077020A8E31F0A6BF76183859F3C281ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:46.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0499AF8FF568213A1F1E101731166472,SHA256=B2DDBC05926A065802FACE707260D2747B04877EC6479C41EBEEABCE1A3FE1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:46.635{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5E1DC49A0CCAEE301ED2E7572A9052,SHA256=FE3813D120C4EB0C4AAC5B3A8538A6EA48103C8D075F95BFC2A84263C5076033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.032{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:47.808{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DD547C0FF404D08437B888D0EE8C32,SHA256=22050206CC158C4F7D30005CCCA94033D21B64B62AE78D1B829956E2B11AA830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:47.681{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560D29662BA0A408AC26E932A159B30D,SHA256=C4EB94B1A9336D36E33345F4BFD8F9B53D457FEED986E5091E93026E8A2488FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:48.824{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AE77C390D0663A4783D6AEEE89ECEE,SHA256=5F7F65023AA3C68BF0CE89BCFECA0651154E046CCB90E7A3F45D284740B046B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:48.697{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3727973CCE4975C925B75473C3B3E1CA,SHA256=8B79EBE536521CFFEB2D6D23A62A2DF386C5A78A08A22FAEFABEC33A8C504DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:49.855{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675B80F702F348ADBB039FA591CE471,SHA256=CDDBC7E705697A8438FE1E10B85BE8D21A795DE56A71018D53494A11E300AF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.775{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E0B50E756477B6B08FBE2636EAFAA6,SHA256=C19AC3A212CAF5B053509D3DA2B8774DFDE01B1FE94E81BFECA98A3EEAC3F183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=2F44DB78F64AF550704C783225FCDC95,SHA256=FA19D38A31D92B0BCAE20133607437606C0448629A772630D001C23E3FCCD605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=8F0F4092CC08A060BA0EB9E30E7075B6,SHA256=808D1DC5483D313720A721A0C0571166006D018A9260DE5BA02BBF3160013764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=3E62E66291B8F0BFF730D540016B4804,SHA256=9BA8E6F5F16794598E903028BDE74E77D0630522268C5AC34E6A7A7943AF46B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.635{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:47.719{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:50.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F242A33812A769A64651513042B6369,SHA256=7097748F08D60D407C36059ED33D0DB46BAD9340D7B378390380139CCF79E0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:50.870{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B068E18DE0F2E86314DD265542F80CF,SHA256=1D5C0AB75DB285F5EA54D9F2C0933DB5D60CECF366C443E4B4EF61334E7BE264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:51.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90498398C6CE578890782AFBD8BC5E2E,SHA256=3F1584C5FA3DF458228253C55755C3DCEF989AC04D4838C875BEAEA2FD476B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:51.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F2321B6527FE3ED6ED2E3CF9DF5392,SHA256=2F7921C781139C2566725764EC5FE5C965B430D1E1B07B49D1CCF60DCD41F0D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.188{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000232093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:49.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:52.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A335B859867454194CE9560A0A84968E,SHA256=54D0384579A88BC25E361CF39F71A107174EA03A02441DCCE6E3F7AA34C60C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:52.916{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C46D9204EEF7D939712A502BBC41348,SHA256=3A2883F817474D97F438EC1C3993AC911DC6A4E8A31DECF5BC6CC5A10CACED77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:53.931{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D9141D9F852EE78B2384AA58E70156,SHA256=AFD92D03FEE653DAA54D76CDD71AEE0A482F34DBFE7B95BADFAC874D5155A7F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:53.213{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F82-6127-8600-00000000F201}2084C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:54.931{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A51BA7CD59A028C57146868557EABD7,SHA256=7388491C4A6E86DEAD7194EAEA30270FB867F98A4CC41DA1C3E2B48C208508C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.715{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.042{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FEDDF92B72BE78529274610163F01D,SHA256=CCFC256D465CF6E413F0D0CFFDB0FB79A81FC6468BD2767D304282CDE99BC79F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:54.853{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000273124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:52.797{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:55.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC6A3FA62ADBC56025D9137CD16152A,SHA256=4B5DCC10D691754C33DA87C93BDAD84526B712F4B921E0931829E8881EB5A669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C056B3F57CD2A4A0A3C0B92D39B945,SHA256=72D9990570BE27C3E3B0D77C28D6FAA39ECF5284FE0A1B45F57DC5966B5829E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=523C59D0F19F2BD75DF347FB938D6A31,SHA256=D3D7017CE4D107BFB583D737A4468D4BA641D55C40A7B1411B8863A840E5397B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.387{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.073{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530437FB07C528676980B291EC148889,SHA256=91EE023C5A0A035A45B8269F75C0184B77A620C6D097E51F253C5856A20AD906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:56.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAA05D97E4343C89ED1DE170803C0DD,SHA256=ACDA2C8D7BB385D9E91E8A1662E8FA22B0F7B694D5BCA31642ECE7115074A019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.480{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.214{D371C250-6B80-6127-E403-00000000F301}2340736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.120{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844F7732F9BFC53EC31E55B6A337F8ED,SHA256=86BD44C0D5863D8784C0E27B7D7C195585948EFF4E2B6FCADC8C1E7BC7BD14AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.059{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.438{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000232144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.204{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:57.167{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8CD76528D93904F94C5575013FF225,SHA256=3A5D453D1E3B69A5C1AFB71B6D1E67590CFCA730EF3B3F501AFE78B678CBC2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:57.058{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C056B3F57CD2A4A0A3C0B92D39B945,SHA256=72D9990570BE27C3E3B0D77C28D6FAA39ECF5284FE0A1B45F57DC5966B5829E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.340{D371C250-6B82-6127-E503-00000000F301}32481012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.214{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FD23C70915CE7D00CBA7FF21EDF828,SHA256=A81ED577668ACBCD0BCE95596D7409A297E387244E13E7648C7653371E440BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:58.009{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E66E75B881C6BBED9005E9FBF314218,SHA256=809F779DE9586A0190DD48DADC93CDF960E7EA385D73B5B676E866B748AD4C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000232176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.698{D371C250-6B83-6127-E603-00000000F301}4092580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.230{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B979A6606C64B1EDD831038CD310B60,SHA256=E4C3288F3D01701764F0C2F147890B9FF00466D25A1B7EDB43BE96730E1C51A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:59.056{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2923BEFEDD2200F0DE7A42213642C2B4,SHA256=DE06DC0D0CC4022118A8B499685FE4B5CCF90BFC6773731F88264AC62228173A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2F6548A85023919602370CE80696328,SHA256=0AA0B51982F25475598935010F99532735A7AB47F96E5BEC5D850CEACA471591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCDD2A0D013AA4901D0B445848658FDD,SHA256=5B6557FB5EA065EACCB520CFCD37110263E9B4D22235E918DB9DFFA59B8AF142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11864B2072331D9EDF9F31D150905B6,SHA256=26F6DA392CFD65F2D028FF6D3E7DABE4696E881EDDAACADFAE1AF0DA3CD65B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.370{D371C250-6B84-6127-E703-00000000F301}6562284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:00.072{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F4A8183E61E86CA1C35BD914F77D86,SHA256=A28CFD9010BE69CC34B822857305656F85D7080A2D4715AEC27B79A5B3A1F3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.199{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:01.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B069B908256E5321E77342237012DF,SHA256=AD055BE039AB34DA9CC142CF75F922917D8469C1E3ABD4A8CD1A2FAE17F59286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:01.088{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA64CBE8BEE54ED66DBA52CBCA23534B,SHA256=8264E393D272737AA0197419BB5EF71CCD82380F59FF8EBAF73A9FE056D1B773,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:58.704{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F0B38DBF73FDA4FB76C11EC7D1399B,SHA256=E892BC48C9058C31F1D24D6FA0F24B8AA89058E514B9FEF26AAAD807B8A3E60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:02.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6FD842DB119EE91125B0B007F996D8,SHA256=BF42256C863F9DFF942BB15C8AE6D8E0F34E0F02E441B801FCFB8405A0B67863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.090{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:02.075{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-117MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:01.079{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:03.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0E2D088EF85338DF6CA3E9C3C3497C,SHA256=818D08A46C8BCD55C1AC06CEE37A251DA6BF522C4FF141B123D6884D36868CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:03.092{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7F97CB6D21A8C269834431943C62A0,SHA256=BDD0F551646AF09630B47E033BB1CDF9CF97AF176B6A0C0185DB641F3C1C9045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:03.105{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B71368BBBE6FDA3088953046D06F18,SHA256=25D32CB67C87F9B78AD822C60A9267BCF11EBBAA984FD4563E54EBD9ADAE8161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:03.090{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:04.448{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AADE5DD9BC5585500A6413CF80C9BA0,SHA256=771ACAADA7B1CBD86ED284B52E55CDFDA133C47B1D83BA646B46B102FDA1900F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:04.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB2B1DA4B14F88384A3B62C16FE8854,SHA256=D0200CE07899FFDFF9A9C760F982180FDE690EE9344AA3F00BDCE878734236AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:05.449{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E141715BBC6CE42CD861CEF3E767A8,SHA256=23C069D43FFEDA9D534884E168F327B5FB1C08BCBBEFE31AB02BBA604F1F011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:05.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415F74C8AEE3AB2727C653F8CC9B786F,SHA256=035736FAF77DB75A30F39BA89F6F99A47EA38584B88A0484BF2C24D3798EC550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:06.464{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE0783BDD7F223EBC74045F836FD9BB,SHA256=87D696AD76D5F716C946415EA4A5C4C771CC0B4C0AB945DA5B323FB7298861B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:06.198{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A0E7D4376166197EB5B069A1757A4C,SHA256=18C7B7C1557CDFC83EEDC844C2594E7F1141818A9D166EA17DDA796094D79FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:07.464{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125246500AD978FDF38594A99441199A,SHA256=DCE97D09BC6C89ABC6404A3FC882FDE059C9E032C442CEA11AE26DCA3F29817F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:04.689{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:07.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3C4B98E79D44BB3A40F79219E06E4C,SHA256=44688C20A26B2C216C8D9E87A0CDDB65F04D753EF9B92D70BB34F01A02E37254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:08.527{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06687A120A82DE4F9CB5653087EDE279,SHA256=64D5E98C2432D731C075FEDAD59066239274719C1D7C29BBB6E41A2103E4F92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:08.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2E3271FB593BEE1817B906CEE523A,SHA256=B4AD61EFCFE9E100819A4A3BDBA35267A401B0AFB4D3CFC71427B5475BF1362F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:09.573{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FE6A823B7DCCAF5266B1D393C07991,SHA256=EEE060954C5C1C56742A2D8FF8E6A5BAB11DE045A653DEA052422515AA68EAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:09.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51747643060DE607DD221F5F3C198369,SHA256=E8F79FC074EF130D346DBE92DC506D6AE4E78659E871B1D4213E492863C800DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:06.126{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:10.620{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F038DAF347474CFBA4518068A4585C,SHA256=772A40427718962A325A4F7A10B97590302EB2B4562949CE6EC743EE8F34D498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:10.245{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A0E63FBBBE7A38A975A636003A7B49,SHA256=1481B0005EBF031A0F6CEA445182345AB07225C8C251F0DEBF6A640C81130EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:11.636{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB5E3DBDFEDC411F2089F6FFE2F280D,SHA256=ED472825701C8477712FF947CF6271E14B665363A31CA98ED7D87D26B5E16A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.902{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.261{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3319ADA6E7FA0831D75EBBC08DDA1AD3,SHA256=70A0C2CF89B05F391F6EDDF06562DB8441F47939C43E94386CD592FC26BDF71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:12.652{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8235FF55737717203FD673C090F87AC7,SHA256=1780EFF9E97B911DFD560B029EB6EB6350239278B3C460313EC2F371A4473BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEACE505E6C3E3C3105E133245E031A,SHA256=7F2B9788298F23E8538DDA5DA7F9E87F4448BF51EF03FE3B1534E25B0766D7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5C865B1AB2965480E3DCC9C0422188,SHA256=408A65889AEA55EC1D6D50DB9E80DAE9C6B1031E003561CBD45C22FE5CBD7E41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:10.627{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.292{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA5087ED27C02272423A697E28BDC5F,SHA256=554F1815DE503329AB54E4DC79054E22821B43D0D9A2D30718979A55924582D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:13.652{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1F9D1434A79ACDAE27639B234472ED,SHA256=55EE4CC34DA14501EE32A13390EA5D59C29A459DAEE7ACEF573840505CEF4293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.964{80A11F3A-6B91-6127-2504-00000000F201}46922388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.323{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB250AE154BCD96701EDDA004DD4B58F,SHA256=87B1CDC3FA921F60C03C8C20C60141CF29F43A08AF4469855266DD99D8E6F0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:14.667{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E058C348DBDF364D5C04629A1F91CC4,SHA256=449B656FCF40F64CB338FAF94893F4F83F966BEBF1E066FA29687E35C11877C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0387AA0E71C8A91996DE071411898726,SHA256=C5B920DB9124E3EB5B06FC6A4AF82E52D5B2B9F1EE2DD5A4EF9D018F6B9004AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:11.172{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.120{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEACE505E6C3E3C3105E133245E031A,SHA256=7F2B9788298F23E8538DDA5DA7F9E87F4448BF51EF03FE3B1534E25B0766D7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:15.698{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609A8FBEB2FE3B5E94608A0B78F08E0F,SHA256=102118F427D98E608FF81C992FF580F08994847593139461DE7A9ADC7581451A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.573{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CED19FFA23FA9B07900686032DA032D,SHA256=0A170F75A51A9D55F66CC14BB2EE1ED5B5212C7E9542A40E23757F863B2C278B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.370{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347EE62A61851D207C430989EA8CA9ED,SHA256=16B0B4DACAF2FC51FAC19A36A146BC126256C696587245F333929C0E296D51D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000232233Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000232232Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006f57b9) 13241300x8000000000000000232231Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xff67bd3f) 13241300x8000000000000000232230Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x612c253f) 13241300x8000000000000000232229Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0xc2f08d3f) 13241300x8000000000000000232228Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000232227Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006f57b9) 13241300x8000000000000000232226Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xff67bd3f) 13241300x8000000000000000232225Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x612c253f) 13241300x8000000000000000232224Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0xc2f08d3f) 23542300x8000000000000000232235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:16.714{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF005FE42F03C60690A61C746D948BC,SHA256=6BCE28FB1A4C492474C589FF357F495A5EC678BC94ED312C59B75896215876A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.824{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.096{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63975-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.096{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63975-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE53226E85F71FB6BCABBBAF70D90E0A,SHA256=6E2FB11B35CD80A8E5B434B8F188B59661CA6A786D9B6F4F7103434548D07A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:17.714{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59D60DD7271A34495F44077E4F26DC2,SHA256=891A086CE9C7923C34914F17104702326A30B7FB6806298322275B7E0B4F8CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE784A223240227F1C5E5A5FBD9B793,SHA256=9DE2C9D0FDCEEEF15D6698C16184FB254CC6D794920DCED491FA0503B413652B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.840{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.705{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.636{80A11F3A-6B95-6127-2704-00000000F201}18681612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44D4A68121202206F3AF45F5627228E,SHA256=A62D0AE293B74C2713A5C7256DAAEC42F42B9F2DA69DF40359C26828899583B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.340{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.089{80A11F3A-6B94-6127-2604-00000000F201}42805056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:18.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9F423809B6960EE38D70E8B20B445,SHA256=B342FAFFB4DE09F9592A30122785F9C967CFC94A2D124EA5061038C2C55DD509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8375F3AD3B2F4746CCFDE2B0CCCF8D65,SHA256=4F1A815EAF384FE774EA3C4E6140437D5F442FFEA1BE39CC4C3633E7A6680AF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.261{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.261{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.089{80A11F3A-6B95-6127-2804-00000000F201}26924796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:19.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16D5D3100875F1B65276DD68AAEE419,SHA256=5DF3E13ECF9AB69DD2C5DC8960189D8F4BFEB41360749589641EFCD058B5BE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.527{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.448{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B735AA006312F53A083EBA66145B9C,SHA256=6438341A440DC1F61C5345A8E5B7AF06193DE72F48D4DD6B98335FAFCB94DBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:20.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EF85E36CF1DD1F96B89A1CEDEEABCC,SHA256=78430D387BC8B13FCF9419B3D7095785CE7DF528E4D0467EE22A83BCA8433535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:20.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAEA03BFD14A2B148DF0F438CE3D29A4,SHA256=433AD8C25FB7E1FDA8350E5D4C95C052AA43A7844A14B8C2ACB46F5CEAAE92A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:20.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400CCBE9FEB0F83313168B843C1C4A00,SHA256=DA31757E5B64D03ADC79638C560613E78B73847B35C832302D2715C3CFEDD3F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:17.219{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:21.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C5B9B7EAAAFFC5E1989F29CCE0CA94,SHA256=A9CDA2905EE497690DD9A90F88381F69B20DD326B8CF0BBD4F7147DFCD95CDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:21.495{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C44D9D27903920CDA14C17017AF20,SHA256=3D819E4D04CA67424530D4AB6319AD9CD1329DD94986C748BECCCB58E73CCD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:22.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A2C49AC5ABB1D7BAFE0C237E927196,SHA256=8F5C2F87B8634530E5FEDC503E352F337ECC14E75650564C18EFFDA67909093C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:22.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA14315EFD68B4A56F16372120E0CCE1,SHA256=93CFBE473A45D3D6E6240706AF11225190A3539BAFECF9F4FB84594B7054E227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:23.855{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE031BFD94D8E98F7AE8571E7EF3C79D,SHA256=8C0CAD40883E3DF4E9794067F00F24F8BC5EE41F0235B569DA176346FC00EA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:21.720{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:23.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359318368D07A6D66C929FF59FBB0D4A,SHA256=924E1396DBEC3279F0B13FEAF6337814D50B9DBA0B2F06DDD186531979563825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:24.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C34A3F536B471C007EC1744462F9E67,SHA256=19BF9F2AA9482E6459F16399DB08D79E01256A6A87DC66ED15EF80002FEF62FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:24.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1CEACA531DCD9C3863DEAD08D9C4C8,SHA256=0A91FCC23C2302B044E1C542E21FA4C94EDEA2291E9F172077F7BBDC458CDF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:25.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D872B869BE1E60402975A94429C70C,SHA256=3361F306F623A3AC5E2799DBE39B255276AED1BA917C253AA6493E244BF5F990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:25.574{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ED6BC44B4D4168C10D0A1ACE8DDF58,SHA256=8EECA4F47F9C85B8C699D426AE56E46844FEBA6A5F23DAC581BE2854E5C1D721,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:23.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:26.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773850554DBDACDA06FF675C228205D6,SHA256=37CD1CAC4806A219189FDF7C0BB15DEEC8EAE90202BFCFBA975E39E4007CB06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:26.604{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBE78CA66B8F9307158DABEDECB437F,SHA256=DBBBC6FFEF0948877BE273BF5771F21CD8CFEDF1917C022A8C5DCE022C9AADB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:27.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AFC4E6515017AFB20AB445DCC6549,SHA256=7219395C1385D7A604F52415047F440D15403386A80275AC31C0F376E912616B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:27.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37B1F7DD96FA8449FE6FAF77A01F3F2,SHA256=6CF60BCCB9DD77F15D80CE0F32139970BBC9D73589E0569F0887338C0219362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:28.948{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A0A2B7A171C48BD0895AD4EEC11E8,SHA256=DDD943C7EF475D4FC3A2DD88A85FBCC6A46033BE844C94024FDAD471E32D4D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:26.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:28.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FA170822240DD7240CFFA79E9821D6,SHA256=6C86E2845BAACF35AB79F463B560B0642EEF5C62881EA1867365BF09622A478F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:29.964{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A1B3E9962183F6F74C0B313DFA0137,SHA256=C570C46C927632E639603270D9D90D65CFA9ADBA64635B77E348691EE6966F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:29.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F31FD363357A38CD768133E3EF2AEE5,SHA256=90C55C96922E13C353A4CCA8B6E8B7877E69662E7A0C271C297ECE850A6AF3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:30.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AEC5695FCD9D2095437CA04D3BAE35,SHA256=25EC33B22085E8B53A82AA536D8F1CF35590B045CB73B5AC7422BBCBA5B42F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:31.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC51286544C19BB8570205F245803EA2,SHA256=89F08CA9C7D879E061D918618E79924E7553BC08CDF1A376DC9386C138134EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:31.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C29B51D289475EDD4000B595CC45DE,SHA256=6019A8F9CFAB93637C463B68F1FF008971C6B8A61A17E32DD809FC625D5C3CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:32.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF632A52E8AFDF80939493DB44773168,SHA256=54238590EABB4925D71D4C860D5F87CF147E2100819AEDD7387445739229BE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:29.220{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:32.042{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B55EF4FE5C3DDB514ADE381432BFA6,SHA256=B803DFCAD244B185C459C9D32D5E4F26D7A6BCC2AE1EEE92349C555D75FF6834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:33.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C3EECC00A929319EF3055A94BC7B4A,SHA256=E87A5B6ECC53B872DBB8EE26419C7D24FD69651EBEF0446F59D567BC963EAB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:33.073{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA97855DE59A78060F7DAE8431E27EF,SHA256=D92687B46D9B1F12E43D6625F3D1B6A3DA9C422914D53F2CCB1B4F5ABA2A4B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:34.807{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111C9BBA5ED094D1F37580ADE2162DDB,SHA256=FBAD55998DE15B43058A8B6079EE47948192128E38AB747DDEF22F5558A9C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:34.089{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F925A5760DA22FE36D14FA1D47640B5,SHA256=1BD77AB1D6847B5ABE26FF357922A1F5EFDD548C497DC8B5E5AE693AEFD6ABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:35.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE9CEDB1D6EFF21492D50174AD5B62,SHA256=4FC140F3B590D80F3FA459648C3952E9BCC409B8B4D1BCDC48546E0D1DD9109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:35.120{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9033A41B2AE0877F465A2F810EE9C264,SHA256=148680B0C122D56C1BA0145B0C6790A520B3F82CA8D50D661492F925D3C2E4F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:32.627{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:36.886{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1FD9FD425306F5989375023289C041,SHA256=30570713CC264B2BBC5553A847668EC4F9173580347199CD44C4314BC985E09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:36.151{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFC177542861A2AF040F0F2EE2A425,SHA256=6CA4FC0B6C3E5D7A19924B5E29247320EE7DA06A04EE9CEF5B2608F8A44E98F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:37.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5BC13BB265903EB512BA6400366BC1,SHA256=79DA80770068785995B80CF694D2299F39A2C487F04C03A3CBB2BE7D7BBE1F60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:35.001{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:37.151{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B30B3A977F2447AF46C2B8A33BC38,SHA256=A562312A9B30F9EF713FDF445DEAC0C78A0FDF5295E7A0E6D61A0BC158E6855C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:38.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61FC7F8EE5416810D7E73C958161CC0,SHA256=3D5E6447FBE16D77F2B47DC6F263F79BBD3ABCEEC090C27654421297480C40AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:39.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C13723291C27CCE4DB09FAF95C10CD7,SHA256=0B14253C8EB3A8E62A90A594252D5D73FD2681EF8C3BFD402A226D7E08C2BD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:39.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA38CB8B7B4274BDC9935D0C20C867A6,SHA256=A70D855AB9CA4175BFC6F803ABD93A1CDEF7B9CF68701FE82C413C9F5A1753F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:40.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25562D95A97B28B3122BE27FFF303BBF,SHA256=6B020ACAE6CC373B98718FD4ED2C6F6B7C8E002A5B72AC58805A46FC653F6404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.611{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:40.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDDF091DEF3FEAC26629BFE83A24121,SHA256=2BC36CCEF15E66D25AC4D23C8E647CF04E84792B1E81574B676935D05CFE8A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:41.245{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1643146151DC3D12DE6023FA25A6C953,SHA256=AE0167CAE3A584A665697EE33ABBED045ECDE8148D260AF6ADA6AC9926404DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:41.432{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB00ABB9C66DF2F0321962CD84B5B4A,SHA256=D6A81C254CA851D46C5BE7CB24DB785C085C528C7CE081508506289D098DCC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:42.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDE5097360A369A9E394E9275C8F8D5,SHA256=62DBC8CA084AAD93AE0D9654FDE162CCEB23635ADC6B62ECE9A62B7E62EDB17C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:40.048{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:42.261{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB0DD393F779CC1CCE210ABBD206FC,SHA256=87D251D23E6F05A0E0BD61BB08A7E3644081A2279DB3A5B2538748B5876083F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:43.479{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D4314275D02CEA6E9CD4BC605FCDB,SHA256=161859EC4E9E80FD8D61FEA66067985AAFDDCD7F3DA88677CAD52B367C6404D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:43.433{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0B53F0B92018D891CA26BEC112F7025,SHA256=840A7C2CEC79032CA495AEE4A78BD35D9971C7732D9D6AA21AF28830CB8E2F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:43.261{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708D7E10FE36547A2C1943D770D1F60,SHA256=E9953AA704585FFCF6BDDB26FBF95E98E715E7DDAFC44466E6538C3315C9EE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:44.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC289688020D2E9068F7C820105BC424,SHA256=41C165CF8A667D29EFDD5CEDB36480C9455D9F3B5DB5CED800B02E22082782AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:44.355{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA06FC3C74D14CBE67E11CCBB29A8F4,SHA256=3EED198647A2AB69479E5E42701A0CBDC4A43FA55E12ABEA7D6F50FCB4A0A39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:43.751{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:45.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADDE67124887B314E3B6207C1544B91,SHA256=A2CD903A04AA4682DAEF38E813D9AF0384F3ACDC1565088849492B7F79752B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.355{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946C66B38A885FBA0F6ABA853653DDEC,SHA256=DE25483D4BACC50536CCE54CE5A7EFAEE0F205A5D34E80B694D6402F35543B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:45.198{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6CBA0B69DAEF7FDE0B964F1C0BE1AFB9,SHA256=F480894E213616C35545CABAF783329C32F89559EC7DA98C0D2D9E9ABDDEA7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:46.436{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-118MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:46.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0CBC35DBC19DE23C8BEAFE7B9EF3DA,SHA256=98E1B4D43D5D5F8F09C72CC95FB4FA50B89CCD1E80FFEE1A04AE2BEB0ADB5F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:46.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A5E1092415C0A716E56C7CF75DE69A,SHA256=96AF931856E232D059A93847B22088F9FE36799FCD033C8DB4AE0D425F9C3014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:47.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C879057B55ADE472108DCA2A766B52A,SHA256=DFE511EC39E98EF287B5CD88E203F70543A5C336FEDB415971DED361961732F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:47.450{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:47.418{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43ABAC77521A2508346453F582ABF92,SHA256=BD3DA5BC6AE0FB104E8EA515C7F1A5EA5A5DADA43D1B00431D20E4E5D3217D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:48.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D0F90F140DF4DCAA91F3126FFA2273,SHA256=E55E3BD08A3BA3FB72E389DEF6EA90218312A03CD65A2FF4BDD2DE49EA6FCDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:48.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F0FBF0BFCE5CD46D91DDA8E1252C9F,SHA256=50672B4B672FFA8090F9F1B62023A1C0AB517E093DAE6B15394D21DE441526FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.158{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D43E2382243BDFE40B27EF37F1564A3,SHA256=299D10BC51BAAF030EC41DF761325E77949EF835AB96AA74E808B5C71A69C1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:49.466{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5DC635F12D8AD2C78240E7EFEFAE80,SHA256=926FB4017119D0BFFE6FB3707C6955E208B79FA7D5A35F2F661D10C1BE843CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.635{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:50.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F2A9C984A89B477990D724AE8BCBC0,SHA256=40263D217898D54CD1FA4FEFC5AE6A0D28979D6C315CBB1F928B52F5DF13DD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:50.760{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ABE6C6CADD48A93468E13DF76A8671,SHA256=5D7CD4D66237F83145DB7A93722B69F83B56B1A9509D3FA5DDA826A0DB9F449F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.205{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000273291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:51.760{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83434AE8CD63CA09C6FBA7311B8A12,SHA256=F2E19B2A24CE6E9B66ED96633ED29C5BEFCE8B2D8C27C7EB281AD60D51CB66C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:51.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67479A5D41FFCAB97AFC05DCDB1E7984,SHA256=2FD5E181E0134233B57679082EE724578F2467D3CF928588EEFCEF29C6775DF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:48.644{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20e0:2601:8273:fb42win-host-944.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000273295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:51.033{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000273294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.674{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:52.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09A6F59E285025436C2F4300BE9DCEB,SHA256=F1FA3D77B9589BE82E2EB6E501719ABDD46A79802714142051393F4C8B8C5B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:52.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B92B565D36ED00A7FFDEAA2A819A2D6,SHA256=54261244620C31735A0A1AEE033CB420F8A5A85AE86108B23E7D32DD8CEAA267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:53.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E6E9BCFD768D0526F085ACE6152B99,SHA256=0A367AF91514D2C6EE822EE719DFB1064F4C3113A62804D6403D3F379A368B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:53.513{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4733F6751A4F8D8A8482B8CCC3730E,SHA256=A936347C8330F4C488FD0B9A9047A36CFC0CBA80D6FD6B438EDF487172CC1F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:54.885{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB93E2CBA03681803CFB43387AFF35F8,SHA256=7ECC798BBC37B5ADBEDB67F03BCF3EA453B1003B0736E1BF063BBF3F1498E63E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.888{D371C250-6BBA-6127-E903-00000000F301}23122540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.544{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEFA651D17910F4B5C2F757CD74B4F5,SHA256=42FAF3B27AE83711629681CED356C7D5FB6821C2A992018DE8C75D8BAB9B724C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:51.143{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:55.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2A17B654430BC8D956C344BDD1DCE9,SHA256=DE3E04546F84D0FF6ED015C38AAB4740DE61FF697275777C67FCB8944304502F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:56.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15629A2914B5EB2BB639CDB53DA6FF4,SHA256=FC4E481B5CC446115598636854E617DE5292F08B18B820A5F21A7165E3C158CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.497{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB13B3BCD6684504538AADADB126895B,SHA256=A4A72538E480300DF65BA8E9A2D57F255A7504E13EF1A0368D0C5B6C9BE0597D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.030{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49BE82F4750DBF72DD04C71FAAF3CB64,SHA256=B81BC70F60502256FE2A8DC0520F9653474FBA36349FC24DE99470A76D5F7CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635F36102B3B44604B66471DA8636607,SHA256=870650AB59A34A216A0B9694EB4D8D528ED441948575777C63E10621EC51ABDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:56.338{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:57.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC711FC2B6EED90A6AF8A7C856F5A0BE,SHA256=54B7F03A2373DDE5E8462350972C132B93BD062961B9703177BB1F3326697C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D80FD3D128C5FCE57181AD3EA3544F,SHA256=E874D397ED97CBAABBC994075935AC765EA44EAC034A1174AD9F8BAB3531F533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:54.783{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB13B3BCD6684504538AADADB126895B,SHA256=A4A72538E480300DF65BA8E9A2D57F255A7504E13EF1A0368D0C5B6C9BE0597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:58.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D067C835482F6FE2DC329F2711965F1A,SHA256=170BA3AC6E01ECD50C3150AF56338E745A7BF1186616C3DF9087F46E01F4FB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.456{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000232347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.294{D371C250-6BBE-6127-EC03-00000000F301}3163036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.154{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C96796861464D795D6204C1386E679,SHA256=DEFA7F4D2313E222FBA3FD7474F3415C66A12B8016C87DD7586E731C9EECFCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:59.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179009722478E1E6600435A1C0E20C19,SHA256=1682A886E9446E1383A822B0A408B5BA312DB79DEC8D30ED48704F9BC11412E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.622{D371C250-6BBF-6127-ED03-00000000F301}25561876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.452{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.065{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.294{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4836DFDFE788270F5E0C23B55975DF11,SHA256=EB2B7828DB98585FDA407700506898256EE8DD869E502B33AA5652724F0B1715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7651FC349FE6FFDE5BFF071DB330366,SHA256=8627C70DA56E890C65AE291C6AD45C84A83C64CE8CDB929B99AAE1E8DA404BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:00.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0420A5789A191B1C8454B194904BE9,SHA256=6DB89E97E33C7BBB81E02EC67C8BA99698F9A225A34A33D0D6739EDE268E8F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=652D19E0C75604CBD53681CAFB7C3DCC,SHA256=8A9121312EAFB2BBC89336CB725954928BABE18DDEE1758CAA4B89FE75EF24BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.247{D371C250-6BC0-6127-EE03-00000000F301}26522332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.077{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DC129891E37FF9EE27B05E2FF76E03,SHA256=BEE6F001CCD5107AD4CC169EEC05E55E4486872F0031B669A8C249244E9CA467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:01.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6082BB4861DCCC3A99074A788AC458D8,SHA256=01EE00D6334F2AD38E0B89D05053C0B30DEC4CF5896CDEE4C37B7F1A60DB66F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B848C19EA7BB3CECF78F41E5CABEA4E5,SHA256=6DED2AF8D7E6B9AED11EF84CDB62F3A20113EB9174D1A18C0373CE81C3D34D09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.092{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:02.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C0ABB9DF60BEF4FA67695CE44652A7,SHA256=3F74F548156ACA16173D0B63A330E9C1A85B1A3A03576CEF0A74A819EDED8339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.607{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-118MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.026{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FBA144BD215BA8ADB445714A511C52,SHA256=0ACE2000865C71658D1D493E198B0A4C69585503BD6CF272E7A0D48A2D9CB6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:00.798{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:03.106{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77E110D016D7E19915247AE3E1DEC83,SHA256=59C9CE1A865A7BA842837F91525F981CBF85F44397CEDC9A5559B3A23604AF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:03.106{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50C885AB56F8247212A61FE0EAD0779D,SHA256=8A30DB7731C52FFDA14F6F305C48B31C12782391631C588A357A328038739DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.621{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0678334D8B6CCC219E999346D065977D,SHA256=ACF07E1A3BFB2099CAC0BA1CBA37690954254F366D9680487BE0EC8337D881C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C722B85166466C40B687119CE8DADA4A,SHA256=BC18CAF23BB04E708E3AB712C9A8BD6BCA846E03DF0F91D3C04BF665690B101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A930F0A24140BA6091A7869180F613,SHA256=53F12F51A40EDC76EE74FBCE96692D9A793ED6BAE1C91761C26336B0D62DDB76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.081{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:04.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0818C7ECC04781A3E6A110F1373D6F7C,SHA256=E7E6CBCFB458DD3BD53536EAF22BD83CCC5B21E4FAA26A6F23003952C201243C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:05.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B346BAA5A2A8CD58867FC2D88C71DDA6,SHA256=D559768DA0D330CEB58BC0BBBE5EE8E3CC399FBAFA1A4E208AB0C8A3FE805F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:05.102{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C142382253F19E0E28D2E8E44A4C1D03,SHA256=C57A63120ED9F6115B3F59C8052E5ED0B1B05C8A61FE6D7FCCB352D323A9EBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:06.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF5E41F11E98C3ACCA0A180207C0D9,SHA256=47FC9A149BDC5957043033A886F8FEFE66A084B6DF742E778437652BBDAEA52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:06.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A23F727E5097032D5A5D662027AFDF,SHA256=9C23A58DE2D759CF38B949B4C67CE642CA188EFF82D6DB0E9D14C82E355E0051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:07.199{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CFBF09DA69C63FB0391D3074367FA,SHA256=0FC7F175459BDE7E4461EE9B04C95D39E8C93964ECC372698EAE4758AA4EC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:07.137{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCC714410835E0F70A36F5A153B44B0,SHA256=11C35B657108877B22DDE84B21ACE30731031A5D0F06A6462487238EEE11EFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:08.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B7838AA95F4DD50282CF4ECD19A6A0,SHA256=B983B6216C58BCC183740041376E48953789761D32C05FFBA2063E452A3DB2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:08.200{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DECEDAEC405640C8C5F7798EEF530,SHA256=30229FD3CB06F4DEE1564D35B16D8C859789BF6B3D77ECF2288F100B22EBF23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:09.246{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FE262CE39A650963B03A80ABB520CC,SHA256=6ADECD0B121A85CA0935B0E215580DA867AAB3399431C0945B94CBA59F714FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:06.675{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000232406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:07.176{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:09.216{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE321C77AB6BF42DD3DABDA49996D21,SHA256=838C910E2B755CE881317CDE43D3BD37F4F3B9BCF13F7CD5672F32AB36C85F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:10.231{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA9166FAEA64EFA4235E31B5560573E,SHA256=4E66FCE95E35A77991A1E7BFCEF93D6AE24D61D2008F7CA86F96D2E6516E5DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:10.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800D18985A60536DC6D98F31154E90BC,SHA256=54588E01271059CA2DCE1B359377284CBCFA955F1338D9A3FD2DB59D2C8704FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.903{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FACAEDC55FED3EC547B0B7F92A358,SHA256=05E86EE1CD3AA1C843842DB7F613DA5294C2426F273FE1771107670CFAD9E54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:11.278{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A19892DD201AB204A98EEC78A9AD2FB,SHA256=E93043E20A61704EAA44A37453E533DCB59B9E81C4EE0B882336573CF4CDB9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:12.294{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22D38B8F3FA518C83173B1F12377F19,SHA256=0EEBD7FD1AA339533821FCE1875A43F5B091191D8D5FCCD9F488D63FDC44BE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C9799DA3CD52D5F7528F3838D57BF3,SHA256=B03E23AC801D858A1D1D24444135BA0462CED224829A7690B0C7C68EBE5830A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0678334D8B6CCC219E999346D065977D,SHA256=ACF07E1A3BFB2099CAC0BA1CBA37690954254F366D9680487BE0EC8337D881C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.324{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66B0B358B55C1D74ECD1A1790514C00,SHA256=8890C1312DD39994714B30A3855FF07642D35926A4FE542E3FEBB5994EB4D522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:13.309{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08B3EF6569244AB2D4F9D044AA1ADCF,SHA256=3CD50302589AE830AB65EB1A6B5B04E8FB69D2413262077F0B2225C0A81A1CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.638{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37402B87AB21E22FE665A636763C2F3E,SHA256=AA5564F045A9F20F4153F5CE39C23EF3FD8BF40043F8353379E69E54565C632B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.262{80A11F3A-6BCD-6127-2B04-00000000F201}20283140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:14.341{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0411F6223990E37D2EAECF0A547CF3,SHA256=E68E558A617DD9EC9B685C1BEC8CCF781043972307A517AB490EB14EB30ED454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.815{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFDBA71E0D08ED0EC8E4E137FBAA7F6,SHA256=F7878653742AA9B6498B756D6E9504513BD3E0DEFFA65730ADB51EF908A06D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C9799DA3CD52D5F7528F3838D57BF3,SHA256=B03E23AC801D858A1D1D24444135BA0462CED224829A7690B0C7C68EBE5830A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:15.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63ECBC7F32AE26D910F8FE77A78F0B4,SHA256=141166249C82C27CEDDF0EE90F3F82E2639B443483274C4D9CACCE7A83D612A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:15.543{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC34BC6C8CAFB76579FF7EDD7441CCC,SHA256=0961DC4AD1A18CE822D7E87030A0EA5F378DCC99252629FD37F3CDFB8DE999C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:15.371{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1A34B135A649195BD9AD694F0B5512,SHA256=86447E90C924F7D0223C47B762972E57C481C037895A1FC9A2FC50A5CF66315D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:16.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A82FE4D162DEFA481E41D84144E43D,SHA256=F9FAD86F9211FEDDEF0AB355AB9B833ED54D1F1DF525DB537D28C30287E9B64B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.825{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.097{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63988-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.097{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63988-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2881497978E3662DF701213BEA748F4B,SHA256=612353FC19C3F4F4D30090ECF496C90465AFED45124101F6A2382AEA17E2E8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:13.144{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.997{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE600620875D7C6DDBE7B38D13160472,SHA256=2A05EB003BAE34AAC8BA8765A1365789203ED5CBE24074862739CB40E1AC1712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.543{80A11F3A-6BD1-6127-2E04-00000000F201}44483804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42043E4B8F2F108D4AD035EFAA232FC,SHA256=3AC3D4A259C196348BDF18FA7A9D14C4A5BA7ADAF9899709DC36A01D0606051A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:17.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550FD474A4B13DC49B823F9FAE55D018,SHA256=D468C69078A8A3B29DFBBA550AADBAEAB41CF8B4ACACD21E2AFABF0AA428C91A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.325{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.043{80A11F3A-6BD0-6127-2D04-00000000F201}42361572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:18.668{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7288658E1909A2C44834BD184E94561,SHA256=A8478F7A617D649FD6CC53C4816A1292D11751540B15BB6144EF596A9D543819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:18.434{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960E63EA09AD50546F05AED3D9336DC1,SHA256=8C2B36F72CCEABA1D5C6AB0EEA2323C7AF8976C172CD38B857B80DEE9D7DAAB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:18.215{80A11F3A-6BD1-6127-2F04-00000000F201}10721076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:19.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5431947A313313B38D1358707DDDBDEB,SHA256=96C8E644B8474CA50FDB5F9152698FFA5FE62B279F41DC961DC7D7D464BD9136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.685{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E236928ED5ABB920688D375DFD9BFC9C,SHA256=B670205BB5D09708D959C8172E8C27A39C946C24C1D840CAD83C81CA3CE1A2D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.513{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.027{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC761E91F6B9D22C40529E6CEF85E57F,SHA256=E6BDFAD131519F07691330473ACFB4EA6C4235DAAE7463D943C9946A5275C5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:20.699{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B744E712A786C454B505D17738293DD8,SHA256=0F2A4C63CFA264A3F908C519FAD9F1E753E7087D52BFF30B34828802E897BC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:20.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C7E3F33099BBD54A837FD2D4679F7E,SHA256=A2BF218A0F7F363108C69BD6DC1470C4BFE47EA7291AE5DFE59971EBF90E90DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:20.527{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50595520CF633E9B31BE0728B4239CC6,SHA256=CB0AF4AC145C4093612B8D66C3E5B2C3AEFEAA3247AC13C92BA5CA8579CF6473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.582{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:21.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2502A33B622F8FFC1AB105EBBF1E2E,SHA256=83BD9E907825EF7DDF02C61C55E4E5D35EF34934A41A4098B956881A78535F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:21.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A618545E82BE899C26C759A06624987,SHA256=BD0694DCF0F492F7295B6165D3DA41E53D8833A2C7017E22F7ABEB0E59190412,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:18.159{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:22.949{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73CCBC188D5264209CDE5EF72579B49,SHA256=88DE5EA62A3B8EE17BD787BF6461580650B29BA64C242A758CB4DB63D067D5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:22.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D56323388DB2A7B6213C4D81D10E98,SHA256=944210CCC4B99BE5CC7FF73B037034D3DE962287C7C942A64E9FD7A3AFA31C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:23.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B277451085FC03120828F7FEA16E0D,SHA256=30C94197BD0A99D1AF61B4CE77CEC622C8248B45575B707DF6C35A6F65A1BA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:23.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DBB6A094D38AB32F8561CDE3B44C50,SHA256=0C388DF186464B5EF5C83DC7BA3BC94409E2454BA8168EC8E5D209F1E3CAD3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.996{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4719ECE23A224F986A0A516523A36441,SHA256=4AE603CD3A4DD053B99EC13F660F4A4CD6FBFC8AAF3EAC5E8F8970F56A96C159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:24.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736D771B6C0A0B48C5F049A96A00EF58,SHA256=8C2AEF2480A5B81078ACA7EBBB97C91B24A5AC7A3F1DCBDE06FFFD51E673CAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:22.737{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:25.559{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7346A2B1B4ED70B55529188E3B0C6479,SHA256=978150F3E545E58C1BA822E123FA5843389F4E9C914006E19688848B462387CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:26.575{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083DC8ED4B8E5F93C9635B711336C40D,SHA256=DFFFEDC489C6CFADBB9826E9931AB1B5F3B77705EC8476B7E61F9686DB58C387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.522{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local61138- 354300x8000000000000000273412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.522{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64833- 354300x8000000000000000273411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.521{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local49774- 23542300x8000000000000000273410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:26.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BFF2D7C184F43E290BEFC39C9E82E8,SHA256=52554E91FCD3534D70D7A274106F9344A8EAF6E22E024F5E72AAE23C31568DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:27.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7081223C4F393A8303490B13ABF59D,SHA256=B2079AE6654B9AB65E96BB5D9FF752F21EB7AC45466101B7ACB4C58092EF130E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:27.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89796F491E4A44BB379FFAB4CDF65945,SHA256=7C8F6FE11877327492192C7BD96655DF766AF4C36D6FCB88329B13F933D6F8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:24.175{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:28.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6605F9EFBADEDF7B99EF40454336C4,SHA256=6FF23827D1FC924BA8D268A17651A2D62556963400FA6075CD3DCB99E42C14D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.449{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.449{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48082438F2D9A58A0EA81AF890A22A56,SHA256=0D4CF8F6C991DBF24D530C1E7CD68E59ABFFC9BC5E69BA35BFE1E2BB105581BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:29.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98BD76D5714464360708C8E2968E77E,SHA256=88E5E4515E0F0E795AC1A3D81D7B9BABA610E304D7DAA8B81FD5A926121CDF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:29.121{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963C9D31814FDB431876F72CE0AEEA2B,SHA256=FA82CDA742D2B58AE81DD28373E3A87E2C383183043A99BFD9A0038CAFDD2AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:30.700{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E3F6A8A5BAF05CC17FA426C42BC86,SHA256=8860F38A83D06B77371BF8BA77E218FEE15FBFA5BB38C9C6601EA222579CE63D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.690{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.308{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.308{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.121{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3567628FA8118B8DBB9FFEB91D2F309C,SHA256=9CC0332281494FFA7C85AFA095024128854DEB4BB37613C23ECE1AA32CB9D0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:31.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB449CBB40C204EA16538290E653DCA,SHA256=8CE00B7183B786E788C69C2CA4E06A195E9E29D6F32EE5FE588E1C199509D4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:31.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A056655FFFF6CD4C0ACFDE781CA5B0D6,SHA256=1441A14EADCE3CA951DD722796E4A35A8EFDC00AE223A4528AA0B2D0E140E0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:32.778{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F198B591E54E9E11F2D78FCD3FE95F5,SHA256=F5CC4F32D224BA82AABF1780F336080313AF98F665803542043B0E012D763795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:32.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63175817419CA143884EF8F96D48E5CB,SHA256=3A2F6BA7B9066509553E0DD79FAF83E487220DD8277698206D1C73846FDAAE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:33.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDD99BF230EFBB6FAC9A08AE5DA9E47,SHA256=0D6DFC3365E1179B9F3DF4AD5299CDEDF5E3E627938D607A6455187CDCB58DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:33.183{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCC531FA0655B5DE8EB969BC380A21D,SHA256=E768F10FAF1340A4302DE87E83F383A85A25BAF2789663465605770F17B1E491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:30.066{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:34.856{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1710043F3B67A0DA04AD31BA0D0559,SHA256=4CFE068AF6A86D0352845C542A921E0E97E351AE1892870274727CCEF069B78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:34.199{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C361D4C77AD29D1D527590E51D20983,SHA256=C3FEA203E8C9B251B8350A1C4830369A1D00CE9131BCB0F6070663B16BA406CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:35.872{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C985C9783D030D6F4CF37C6244134CD,SHA256=940B656FD64A6E9513F8CDD5E3C6C65555A5D2ABDFF801781ECD16B6333EAF7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:33.815{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:35.215{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83703A14C2BAD83A0A918EF862C74869,SHA256=3C4BB634DE4A0BB2AE0B9EB29CDD2BC2AE5486EED0ADB4CA94492AAAA16940A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:36.903{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E332C051EA812ED6E6AB8103DBA1EF,SHA256=C4B936B690F60604AF0D2105600A4AA866C54080A1518332D4DD2FC8105E7285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:36.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAF0410D5006A352F853AD39D6CE735,SHA256=E272F097ABC2450258FD4E0A286D5B631D035B58D4C67B6126C75762975BFB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:37.919{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7EBBF1005F2A1AA3EF1763A6AAA66B,SHA256=89A9D2E6F1FC856E784A97C0A27911A837E8C70D519165857C756D2DB1D45415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:37.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA2C1C2B8AFEE04DCF5E763BEDAB457,SHA256=C9223D275671F6BF79F7EA33D249DB1EED3D8457C632F954296E73671E258918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:38.950{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B72809FA4B4E6EF2F751224ED066E7D,SHA256=9AB256C2E46FBE3DD359ACF707AAAFAA21C3F97755E50956A875FA97C0E0231A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:38.246{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BECCDF724CD44828D1071F9A41D26B2,SHA256=115038ECBC4B1CDBAD71C3AE4332F7D33604688D48813C648698F4F91828B491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:36.066{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:39.965{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E9DC75F42B24387CE0789C0E518FFF,SHA256=66D3D4BFBD2588D96E00D3C002665CC1AF588801871227ACFFC90FB855C2FFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:39.324{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7B949342A44ABC06098E82F1D1F3C8,SHA256=0C44BEFBC05C53DC84875777168553EB42AE4B1E73CEEB9C6C089058441EB8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:40.997{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82A87D2152182A34ADE595430AEF531,SHA256=55C6C52362EAA89DB0A114BD0B830B1B708C76070C717B7F92204B1250E6CEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:40.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DA2CBB3BAA6A79C0CE93D95B749867,SHA256=B98F98F137BFB3823D8E8D554CE9FAC67E09E4780C5FA0C0FA70A78334B0B9B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:39.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:41.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345D14D415D31ECB2D2E9B31CF709F4D,SHA256=585DAA1F1DD2D90F3E1BAB9CD39A832AD88FBA470408DC042550D0845ED36019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:42.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23092647E1DCA62777E1A6D6A6794C4,SHA256=903E505ED1F78D92F6A116D4E5A32843A0042AAEC31D9AFAC14818FC3D969DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:42.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164D3CC4B3E6DD5640C3485A0A53E6A7,SHA256=F5C1CA28F0F3C50E23DBDE08F04A20B4F7E6747A22D07994901AD934B6FF8381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:43.434{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FF4A1CECB93A6AC6F4E449968E7DCB84,SHA256=3E706BDED268282A541FA350317FF72E1D7AC47B80397F44BA918890A729D229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:43.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7B2CD44C6AE89137318A89CC16F2B3,SHA256=EAB0C8B8A1926BE90C83E12820DE2F06D11E87F7094C92004D0DC356D948DE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:43.402{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53AE9106EAD3646AD5C2F5709C686B9,SHA256=E65FCBAFE72FFD64F48BB8ECCF7DDB98B0A542FC25F63E14811EF114BAAC8306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:44.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AB052F743117D726A0A14F2815CFA9,SHA256=AA9C77C508F1BE6A3313650CBF64FF87B1CF77E89F431C7FDE3684C1A5707E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:42.034{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:44.044{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762F61B5A5ECBB9AFE0E0ADCDF461704,SHA256=94F008E4FE77C27486B3F35245F6A2AC3F4FAA3C5265FDBCD84770CA8AC0F4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A73167D2D953438E6868FBAB7EFCAAF,SHA256=5147E1D82FAE6103F6995A023FB96D3C67DC45257C81055C8A963D815A542A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:45.044{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B937E729235A17A3A6EF88786D395F8,SHA256=4C50E86A6CA4BA502DF6C71B5951B028B52F6305FDA0B2F3827DDB616BDBBC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.199{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D2D11312F81746DC3A8162B0AB3105C,SHA256=B8DF8E1B843BC559682C2FD10914C248378E72D828165B6CF6DF11EFCF8D0133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:46.433{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602DB5723B5773D6FCF122E634CE8EEE,SHA256=4466ADEF2547161261E38317D0A5B92169665B558C6B36519E4787ED12E8150B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:46.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253CD24D802149521A7B3E5CC25E830,SHA256=49DE8906A9A94907A9394564EB39DCAD7E81CBD2B6A9B066B5BD9570016A6B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.970{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-119MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.090{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41729C31DDE082B78AF6D25A7049793C,SHA256=8F82E5755C17A8E92B896CADBBD628A5E8FD9F12C9111EAB1A359BA2C90EF37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:47.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F89D4C4F1A0C0ADDDB9D91FCA0533B,SHA256=DD110717F02ED72D053040F194B305D44D5D34588258D59B7A5EDDFE505D7206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:48.465{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066EDA9C308E6D1EB2A23B2B6F11184F,SHA256=9B1B032458F34984DE2A909CFEA8F28657FDE157A9CCD16F19FD0A8F10EC6601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:48.977{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:48.100{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F62FE16DBEFC7869C05EC31657916D,SHA256=B8B22B75B5BAB6D7105997B4FE69F3EC94BEA3C100E37D79090AE48ACCAD074B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.636{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.480{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60333E0CF39FFA0BDF24FDC3BCCCECF8,SHA256=FAE937C86ADBDE51E1854B3E86ACBE9EF121832E1659BCFC02B87CA65789A6A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.122{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:49.146{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24D2DA106E8C17111D2F7522DF46BD,SHA256=8213D497174BF18E3B934204BF1C8CA64881A0C66086AC57C3892D7F47DC87CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:50.496{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141ACF8A2F5A67F409F8909EC9EA34F2,SHA256=856898791E198B0DAA1FB011D39AAA0A94D29829667B543916716CA042F3792A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:50.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FE585CB000A929BD188AC0ED870811,SHA256=3F351B53A7CDE1EC838EBA4612C2A4033B5D14A6C34E2E197A4FD815ABA25335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:51.211{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B836A829888FFD9B8CF1C7B5840F30,SHA256=08BBB7197C46F46AA087071A24389C44F156268826493BFF02064EC026D96424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:51.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D444E0A88FFA717046F5F9FCEF0D451E,SHA256=FCF3DCCE19F22C48311F6437987C40606357139B68E3DA5C9D0039FC16548B86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.206{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000232458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:52.242{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E74B6A3CA04E0BBC6576F6207DC072,SHA256=F85F52DCA37B0FCF6843D6A3906243B56CD02C7963B3F1D1E766ED88E8344493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:52.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4AFDCD514B61D9657B079F478A0B8E,SHA256=E1A8BBC0D9020CFF22BE7E5DDBECE40CCF51D8592B4D7600514756F77B134037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:53.558{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA704289E780B9770E2D5F02A4DFBF9,SHA256=2F9A1C1C0BCB0F9D7BD783A57ABCF70571BDD1A447F9F60ADD02B5CC8D315376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:53.258{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E750D7927B9AEFEE28B8A819346E47B1,SHA256=8FC4AD8D38B87646E1D5AABD63658B5AA0DF4EDF85433F1BB37472D82F9C7DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:50.675{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:54.590{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1586B265ED7BE8FEEF4BEC6AB5EEA20,SHA256=7E25EC09C4516CFC2C34B4123A3511B5282849FFD181B068284B279315068AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.712{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.305{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98E2EE5AD8812D284130106C6283AA4,SHA256=73E88B827A9245B3AEAD0E5AB8B49C6DB3F6B9460E37AE201C6D56D938E6A62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:55.621{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460F4E5EE0B2D8EEE51F36139D54EB70,SHA256=4C98C4C5E4879623446C53146EA3F3463F98C7B9372189BDB424BD119CC44AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BF7-6127-F203-00000000F301}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BF7-6127-F203-00000000F301}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BF7-6127-F203-00000000F301}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.884{D371C250-6BF7-6127-F203-00000000F301}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E627F6A22D53DE2C84B254AB878C52EE,SHA256=3284F6D601B1B8CCB6EE14CCC1A32D0321347D5693E0379608F754332BC3CE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E1E32B82D343D83BC94C49F1F2A1381,SHA256=C8204207CE2E7DAC0A523A45B32A17086B8B3AC8584FB9FFAC6C5C243389A487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.539{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67D7E3435CD864E6582A534053AFD5A,SHA256=7BAD6BCA8FF1BD702440A64CFC496AC2245C1E38310A3FA4D18663D92A61FEF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BF7-6127-F103-00000000F301}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6BF7-6127-F103-00000000F301}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.211{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BF7-6127-F103-00000000F301}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.212{D371C250-6BF7-6127-F103-00000000F301}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:56.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2F6E3EF35B6F6B8F8D31479821B756,SHA256=EDD750FDAD6DF6ACD5F7BD2A8588C2F9548ABCDDFB870B314CB88375BAA6E001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:56.883{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E627F6A22D53DE2C84B254AB878C52EE,SHA256=3284F6D601B1B8CCB6EE14CCC1A32D0321347D5693E0379608F754332BC3CE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:56.555{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68481616C75874CEE085393D6A35F140,SHA256=2EDD497DC19B9D93BAC3307E10E52FCA809B19620CAD4BF709F313DA5E5D5720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:56.524{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:53.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:56.039{D371C250-6BF7-6127-F203-00000000F301}18481408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:57.652{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747EA8B7C6D97178C22079B172D00F9C,SHA256=E9E5259B58E235C3C2423460BFC501F4092A94EFD99C842C8A6B5220C2816BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:57.555{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052303434E9D8FFC227F6DE5A9D63895,SHA256=9CE1CB705FB3D1F06FBAE3FAF2C72A33213C2A73B47A91A8F594AD574FB1BEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:58.668{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16A6336D4F9BE1EF936FD2DA6330EA4,SHA256=0378DCEDA070C877DED5F62CA4C3CC002A83F8E8B142E31144ACAB483C7B0135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.555{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFED9D97409076DDB37B532589A7620,SHA256=08D9926EF367BC55973B996E2E84C4E838F0F1298BC5C726CB273E9AE34411F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:56.628{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.367{D371C250-6BFA-6127-F303-00000000F301}1612604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BFA-6127-F303-00000000F301}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6BFA-6127-F303-00000000F301}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BFA-6127-F303-00000000F301}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:58.149{D371C250-6BFA-6127-F303-00000000F301}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.483{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000273459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:59.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE09D4D5550CF15242D8E1E09C4683B,SHA256=8433218077065414B9599B3D462B1187D1DE04C1DFD4BCE36F27049D611DADB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.570{D371C250-6BFB-6127-F403-00000000F301}16521964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.570{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B33D71275974B25E78EFC828DEBAC5E,SHA256=88E3C11B9B3643C048078A27ABDD1179B6F953C119085AC53234C472FA66649D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BFB-6127-F403-00000000F301}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BFB-6127-F403-00000000F301}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.414{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BFB-6127-F403-00000000F301}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.415{D371C250-6BFB-6127-F403-00000000F301}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.305{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3687D97FDC64D20FEC1B2EA381DDD0A,SHA256=C3BFC4591466821BD95334ADC4E7F302695624693009F97AF70C4792B064013C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.617{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EC807E5A33F3420F40F4307FBB8959,SHA256=22CDB99D78A4B54C8492510E11CDCF13DA4FF075211B2952D83AECD3D37DE9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:00.699{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65EC7E5714F8662D93FA0FFBB9F0A34,SHA256=F9BDACC9D8FC8350AA4FB86BF990045CA2A7748B07F3E42C713F21A5852818AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.430{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D4A6E70961D052EF64920456199D7DB,SHA256=C717B1018F1CAF56F7D4AFD761D8F47E89AD4EAC64520FA2EEB201F5CB211F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.258{D371C250-6BFC-6127-F503-00000000F301}32763088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BFC-6127-F503-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6BFC-6127-F503-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.086{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BFC-6127-F503-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:00.087{D371C250-6BFC-6127-F503-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000232570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BFD-6127-F603-00000000F301}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6BFD-6127-F603-00000000F301}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.992{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BFD-6127-F603-00000000F301}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.993{D371C250-6BFD-6127-F603-00000000F301}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:01.649{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1FB6B85AF5B10617C4578A0F8458A1,SHA256=3F82F4E5761015F91DDDD172434CFB511B558496C3F401719B1847FFA5006039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:01.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360234107DC3275124A28BFC52263722,SHA256=940D97B3BF7A9C90DF9C4EFA62FDA55D60B22476D20FCC9873680129D4E30A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:02.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283263EFD6F5EA8F1DCCCFED9CFE30D6,SHA256=5CDA63F2BB2F8FD653545261C37AF817135AAEA92CA89A6EBAA6BF88A99167E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:02.664{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AFE40D7A89B4681E558DEC86C5C523,SHA256=719900C60961663AFF0152D50AE0A077A5AD6C5E76326FBDA1F8DDF3B439A35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:59.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:03.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39752CD16A3922EF5BEBF225594E563D,SHA256=A457FA7D26C60805DFB592253CA8018C54BB0C20091D3F02F67E669EC91FD619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:03.680{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E5133E62DDC9ED743364716811BF71,SHA256=9568063E89016AB5B2EB8CFFD070C1E24EBDC5A2779FEC4E1FE2202709772EFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:01.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:03.008{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79D9B27BC8EFE29391692101F07C748D,SHA256=69335655E9DBA0524D5808FD0C6E2A49C5E05050C978C7EAAEC0E870D6EC2AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:04.742{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B33C6A363B47250B9BE1967FB1A7D3E,SHA256=371F280FB2ED11C24B8E5F4F10BDE6C3EE07A16ECB75909D766AE8AE52E2AD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:04.733{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC484CFF0942F37C839594DCA33D5914,SHA256=7B2BD17A99EBC314170E235B9DDD56FCA60A0C030709823D354266B4DA879157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:05.742{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC5A9CCAA42C7B3F2BAD78309F046CF,SHA256=001A600E53CD370ABD0F1DADF5A8770EB41AC50FCFA8BF96E36AB5FD00029AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:05.733{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF4124B1554DFCA87E254E489848280,SHA256=173A2EA742096071A0804A9FCF5C560010F859006881C7EC7C185E03CB98DEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:05.142{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-119MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:06.782{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ABE73C515FFBF51E29F9F5FFE9F3F5,SHA256=5B8107368191090ABCE57CBF2AF64F368D03803F4EFA02A7A9D71D9321113D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:06.742{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226D1D27FC9515EE9C8E8778A8A06802,SHA256=E524A7F7C980579DACAC9454C72A8B8C3591552D6717285D056C25A70FE262DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:06.141{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:07.798{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260161D0DDD3832323A799688A33B55E,SHA256=8D8F6CD16B90DA59ED7504FACC414CFFE1F366EE6DBA3F741DAD81C14DCA801C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:07.758{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47AF68A4ECE32E375B92D679BBE68D6,SHA256=05D649F60C9E85945CC8C51EC3744C85AF3A4633CFC139AE7D1EEA26D3D72983,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:05.030{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000273472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:06.711{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:08.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C28ACD8D0B184523F14C275396A672,SHA256=D022A0CACF691D211F7AC98CD608D6D22C3E7BEA265EF7E252018BD578219C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:08.789{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54DD6261737FFD37EC4DC6640893F24,SHA256=607162F74414BAE84A07BA1C2103435CFE14C80E5EEF5F832DF138EE6469089B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:09.805{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA49673110F60DD28398606993522294,SHA256=306867296EC2B2FC9A0FFD781B041C22E7031BF77BD67323293AA150024D2F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:09.829{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EB42B03BEBE9508194F1BA6C809B94,SHA256=C8300EABC5FFA93B74F0CE11547E105F0AFC8ED120F91EF943DADFB3DD69CB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:10.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08502BA9FCBE57FDEAC3DCDDBBE26ED7,SHA256=B2241116681F258CD14A7D1A772C49523ECCFD41D1481F4DBFF49C9CAF4E6FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:10.805{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFE612325020CEF9E1978B49B3F3D03,SHA256=1BC3D76254FF2065A421050CF5CE6422401ADDE4819BA341CE52135EBA859E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C07-6127-3104-00000000F201}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C07-6127-3104-00000000F201}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.907{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C07-6127-3104-00000000F201}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.908{80A11F3A-6C07-6127-3104-00000000F201}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:11.876{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1C7A391A5A8F6188F8BA031DC313FF,SHA256=074C827236D8415B841C44E407C3FC368138F06A92F9F061A503D048EA429DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:11.820{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A448ADB9306374D3589D8562C018467,SHA256=BA80D03C6F194E2FCB0DBFABA49BF1DC629FB8C21100480E6020B3F03FB2BF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:12.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198BFAF027C598F2157CA7F93BBC3213,SHA256=261E6B37E49EA6155991667EA5AD22D586705F3E22DFCA73D7B795E315150BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:12.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EF27B09D58F07778B9AC776AE4F0C5D,SHA256=FA1B87B3BD10A63216D6F48109F51C9A4B0018EDFF5AF24AEF57735B6387ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:12.876{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D937A6640D061C3F10D800562058ADFE,SHA256=4D69D244A0589CFCF9FD9ACF5035821A1703E8B639BD6A54AEC431F5720789D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:12.836{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA03E1A56C637E143C2BC1F2EFA7AC0,SHA256=4D21ECC3EB449B55908A9AFCFE95B7BB0009FC0AA58F8B87F0BFC126AB89CE2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:10.062{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:13.836{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7749A6A3EF43E82EA32A8848492E9089,SHA256=587BD1C78383FAF316CBE133AD75672E8487B2D54221AE7863122ABD9E30D908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB22C9063CABD36D47A1C9C684AB59E,SHA256=BC12ED67C6B9E1ED77AA459154486561599FB64D054E18877FF188311E306CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C09-6127-3304-00000000F201}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C09-6127-3304-00000000F201}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.735{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C09-6127-3304-00000000F201}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.736{80A11F3A-6C09-6127-3304-00000000F201}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.251{80A11F3A-6C09-6127-3204-00000000F201}23324676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C09-6127-3204-00000000F201}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C09-6127-3204-00000000F201}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.063{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C09-6127-3204-00000000F201}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:13.064{80A11F3A-6C09-6127-3204-00000000F201}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:10.670{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:30ea:319b:f5ff:fef0win-host-944546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000273506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:14.954{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2081A0F7175F1AFE63AC43D602800873,SHA256=191D2AB733340C178654BD4F59683ACF29CBA01995D58523E13840E7E4C4D97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:14.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C54D6A7D1E231081F9B8A43247B482F,SHA256=ED2A2E3FE5D73258BE9144FA0FC428C2CC63469B4096A0D291D4AB5238010A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:14.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198BFAF027C598F2157CA7F93BBC3213,SHA256=261E6B37E49EA6155991667EA5AD22D586705F3E22DFCA73D7B795E315150BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:15.985{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4208437ECFE41D0BFFC34455E6BF1AD9,SHA256=BFDE4311FC0B9B4FE6E4BC0768B282CE2CE769CA833F4FC21AFB67C6FA42DFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:15.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F2BF4751910611FB5E037FFA0377C5,SHA256=3490006C7875C262659586ED4B457EC3E02AA1937A0C5557C520C129DD001113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:15.673{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8A9ADC7641C519AE1D778CDE25C163B,SHA256=D5F51590F85AA93B610CEDE24BDA7A820B883D519B04FC82124E60283C2F7779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:12.695{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:16.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5697531569052C929E5D07182B16945A,SHA256=16CDA91C3907CB7133A3A2C5EC20C41D27160A0BD2AD29FAD1DB7F8EA0217319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.985{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2101FBEC2DA5F5DE7A7319FF61A8DA7D,SHA256=8DB641C4DEFC85764DAE4DA20DA2E0948D5A29DFC57B93E6CEE515440EB52129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C0C-6127-3404-00000000F201}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C0C-6127-3404-00000000F201}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.844{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C0C-6127-3404-00000000F201}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:16.845{80A11F3A-6C0C-6127-3404-00000000F201}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:14.102{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64001-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:14.102{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64001-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000232591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:17.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0494C8748E00ADAB29E64E7E540B679E,SHA256=2948C76283791C3D4D168749456251507971754D6DF690E2D0169E78E9F39674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20AA1836CD329BF1DE0DD00F05C4CEC8,SHA256=B0AF45A534EC83FFB01C3324E3E82892BC05DA8DABDF179DE7C4B5E0341B8E66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.688{80A11F3A-6C0D-6127-3504-00000000F201}16162324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C0D-6127-3504-00000000F201}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6C0D-6127-3504-00000000F201}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C0D-6127-3504-00000000F201}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.517{80A11F3A-6C0D-6127-3504-00000000F201}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.344{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.344{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:17.016{80A11F3A-6C0C-6127-3404-00000000F201}1244108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:18.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5692C1126BD1CB63CFC9F938B2C8D3,SHA256=6252280946B69FAE1558360CF56C32AFCF6FFFF0D95C467902CDBF27A701EC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:15.077{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.298{80A11F3A-6C0E-6127-3604-00000000F201}45082476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C0E-6127-3604-00000000F201}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C0E-6127-3604-00000000F201}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.063{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C0E-6127-3604-00000000F201}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.065{80A11F3A-6C0E-6127-3604-00000000F201}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A0BE76954C6DEEE68B55110C9AFC75,SHA256=3831441D7736011123EE3903BFB548297B0E3D2D80E7C802C03FCA0757737B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:19.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B70DB5C9532275E78510AE5E734E57A,SHA256=D4C7A146C7E089279ED81FE60FA7FA63B15B7042EE605A08F31FEE6773097074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C0F-6127-3704-00000000F201}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C0F-6127-3704-00000000F201}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C0F-6127-3704-00000000F201}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.517{80A11F3A-6C0F-6127-3704-00000000F201}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.063{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47041B17E8C3EBEEB8A7C04E432307C5,SHA256=32D9C381F902E5A6FE729787F53DB3D6F07DE9573164CEF10D8583F82B15A6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:19.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC5751D3A68C3D0C446EA293B680BA,SHA256=F79342B8AB41C0C99FF16BF20B883F5C8E85425E2D5E9D987C34F7CE50F476CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:20.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410B6F885C5A75CEC39481B209770EDA,SHA256=4315354DB095FBD3D5AA8D45F672F56996D2984C45F9D9B1DF94436B3047C5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:20.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9C617BC838B16A05AA1A1771A409B4F,SHA256=0A7CE79518A071705367D7CE8167080D2CDCE2CA6C6712BF7A2C464F197035B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:20.219{80A11F3A-4F83-6127-8F00-00000000F201}4592ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:20.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3DF6B1AF29A4A8CD7810E0699287A6,SHA256=42918F919C6368FFB7ACA78947E26EB7F930A2768B16A7FD53FC80913E7A179A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:21.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248D55067B72B378A73C0C37D848BDE3,SHA256=7E42D5BAD2227D13443205DB12B06C68983EFE14C4121DA83F8450463BF1898C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:18.695{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:21.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D082D8A2F6042115F567372C8F85A0C8,SHA256=F1E5F95EC4AC62FDC84F24FA88F196CD77CDF043D4F6EE35F9E7BBE8AD472876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:22.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390790715B47E07869431A9452232642,SHA256=295845E4F0D4F041EA1662F671756F1811E3D6631D645D99F631646FA4ACCFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:22.110{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9219A0A1988CC4FF40CB122A89C8B65D,SHA256=FE7891B69546673485C37251B91710E17CD509D0E183A5DAB36677AE0886C919,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:20.187{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:23.867{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE17F0BB72A80D2FCA07E738AEDE8E76,SHA256=0E05876688A37FAABF22735E4BB644BF578FE4DC43121BCDC522049FA542A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:23.126{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D508FEF7CEE1A25D964773DBA87ECD8,SHA256=F57516FC9229958C3FBA82D0B93002669A90CF675DBCCDD88817675B0F72521D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:24.899{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A953A812ABB96D3BE509BEB956237393,SHA256=FD496DCD63B21A72E98D67649799501F7DA90711908F1599BCD36F0844EF52CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:24.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B10E1BE84A6F014B1FCF9E3EEA95AE,SHA256=464A1A373799657871685F4BACD8F85C9B6A9898A0A172AE58B1E5D04DCEACB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:25.899{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B46F73CA2AEE563A83FD50B7825A1DC,SHA256=7EE14E2431162C4D3C9C62EC581530C0FFEFD371F6C56ED9063D9336B4746B8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:23.711{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:25.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A30B3D927EB115AA9B36EF004C633F,SHA256=EACFBB17BEF5FC71B36C1697B2FBC79D88C41569F1DCCC33C048FEB9D7E0D395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:26.914{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415091A8294885CC9074BC7A8022044B,SHA256=1417F09CB72D1086E3EEAFBDDD00424A033CB68193D60B01ACFE25C42707F82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.985{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A433D5AD0DFE2EA2151C7EB7B6505F8D,SHA256=F03CC7C5EB67C6B20EC6C211F777F7D2A82751474383B7B71475D50419768725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.985{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE5A05322A5D650C8556916BCEE3E493,SHA256=8FA63E4F88A2AFFC07833732F3D20F41BDDE4B1C59EFAB3B9222A748F7C20D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.532{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:26.157{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E0431CDED3CB8F917BFD8BAAC8F6E7,SHA256=48E8C19F76ED3EA23EEB0CA1F850BB2539C801DEE5597454B07B0D59E03EA577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:27.961{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93687EBFAEC5BA719D63367E0ACD308D,SHA256=433E30B36F26644C403327F33035F1F351BE554DC2B1778E450779D5590AFCF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:27.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0181DF980FF824569D355637385591ED,SHA256=9D53B68AC4930484CA30D064C530CDC6694E9B2817FEF2ADAD3657EC48A34CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:28.188{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58787A38D4B1BDF0A66F645922A2CAD4,SHA256=04515F382C1D43AC453634DBE67B81DDE6B8CC8A1D89DC2F18252E8C0DE08FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:26.202{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:29.188{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E544F6C22F365281A3DA89F22F0E54B8,SHA256=4EF29819ED4D0391B687FBFE5E3DFB76D5CFA6D0B2306BB638DDFE016F15F49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:29.023{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE91B1BFA2EB37BD7B3AE58D926D64CA,SHA256=D781F11DF9367A0A1D5E71C5908063B24AAC906453F0E5B4356B5AE025301E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:28.758{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:30.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11F29A0F3BDE0E24146482BD20292D4,SHA256=7C666DBE7E641650D4FA63B7B227328DFBCCC7F379F72A7147F7190A1423B664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:30.039{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88993310E9E282B56E67590526AF2C3F,SHA256=C9DFFC4D8B6FCD664469E13EA8596DEFF6ED147DB3B4E54FD65DD0422B48564C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:31.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62FDFC876BF53B8C35B1DE68F9F23B53,SHA256=392FC7358E51A0846D396ADDBDBE2DFB7D069C00F1C2EE8748A06A088A1E3CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:31.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F985C3C64A3AF4E749136A1BA458CF40,SHA256=684857C2684FFA717B80FC27FA24BF694FA860448B219BD1ED812CBEECD83999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:31.039{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28728C1ED3ADCFC308BB13FA92FFA95,SHA256=0704FACB38552E02FE9B16E31FE76E7FD609B872005DE4D1C0F9568F5BE666DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:32.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895B1E7CB7C80E6644B94B4AF3EAB368,SHA256=734F4821DB709E3F51661C617D4B23BEA7B594B6C255817FC57A29F88CD9AB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:32.039{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53D9039925B4186263046404833C5AF,SHA256=57DD7C7343EA5E1E9D3B1249F297D713EC6B6B26B0BEAE7D3E60441C72A99B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:33.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8118F746938212A6E76FE8B02AA329,SHA256=022BDA9C5984630E8D4DCD75845F38B8D5CD7CA92C565F654F25CE5415484D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:31.218{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:33.039{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC61672F3D27DE4A4F800350B6D3883,SHA256=74DA2E97F917C5BBD9A4FB53D73B3FA8C702F1768B0D3BFB25D5C9E81728B09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:34.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C73C2D2F7DF10EB32437623F240694E,SHA256=15544B6E67186BF967FA4FD79D07A97C246F55CFA71E0990558F544B29769540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:34.055{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D072870E82162AD5BCA10D596657AD74,SHA256=5447092172E9611506D7FB75E7BD94D267D73BF2390C6042560C1D02FF50D8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:35.251{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF7C5E31FFE2343A225BD245172B5FD,SHA256=5D521A4AC01B8566E1BCD9E250AA4E75FFE0F74054001E969A76DDABCB214DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:35.070{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4E5CCA75FCA94E8E1CEC759368649D,SHA256=EC223E6A3381F8264F52885B9AE7FC72BC2F0398FF0354771AA8F76AC6A2965C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:34.805{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:36.266{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF46E620F21BC3833080629FDF0457,SHA256=D28BAFA8F7041E17E7DADE6EADDA8314334683377FB686E6F6073E134D357D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:36.102{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7760013928F280C51D8E35D61B1AE95,SHA256=5CAB3165D242CF1477BF2EF13E8E5556356F7AFA6926C367BCD4A2AA9A01CF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:37.282{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE20649A02E313E39E3F5DDD5D36107A,SHA256=81231833B936F1F7240D7C971B54AC0248287FC8A6E30BAB198F4DB8835C4454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:37.148{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C4C5F09E1199233F8A1A9864A0A8BF,SHA256=187BA939BFC917EB38F2BC64765357C792E546ADEEFD25D7C7AA38FD92C2A4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:38.297{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B5BFF82C27AF8EAB30A557C3F73065,SHA256=F4E120F9F2D793739823BF06EEFD198DA1BC38792B87757E78E5277FB8AB28A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:38.180{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D106F1FD0F1B82D77D1187B39EAE5,SHA256=046126D4522EFB8E3A79170832733634FB22D5EBDC140DAD57C9C2BB42BFDB7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:37.031{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:39.180{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C30F4A01E5E628A8A3C99EA2F684D7,SHA256=678336FE1F77288FF477EC83939B82F1BA7B2C77D319F935B11C095591516FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:39.313{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB36781571E494FD5A442B942678044,SHA256=1E4C84E804DFA16BE121A0CED306BFABF251B1218C70CE9423DC26959718D6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:40.329{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE329884233644793B0D120F7A50DAC,SHA256=2CD0DA04F072983F34D694D97A01A68899C34EC8ED343CD19652DF12CF4927F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:40.180{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AEA70DDA6BC100C6083DBF911CEBE3,SHA256=7A203C521723358C3802F3F1EEA9269D4FE9A6DBE994C1B72903186A9B978A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:41.344{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C3944AFD30FB2661875E50D2FD875E,SHA256=39210C5DE17DFBB3D3058245B906DD5CC75F22D8F5526645F491BA4416B8218B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:41.242{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEBC2AF7A8EA420263E548C1ACB4384,SHA256=D08A09A3FC03167A3812F56104EA183DED294AABC895C31DF63557F90AC170A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:40.601{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:42.344{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546960AC79120756C8D65B122E1A1FBF,SHA256=B7FCAD18909E042FAF10C287E77318E053034F5840BB04EFD5C5942A5F92BD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:42.289{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83AD90877FCE31A3350937D66FAC619,SHA256=F31AFF5A42044F82B28C39F3C900B7913310A20FCA3BA43D8B7380E7EE840730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:43.376{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CFF5E46582E072C5B1416DD35A59E8,SHA256=E4FF0AA68E7BC35C3DBB5CA2B6A67D4CFBC0390A45E9EF7F1E1F0D6562DDEF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:43.445{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A239C8B310CD1D2340802F198CB41627,SHA256=13F488E7F3487923E9EF1F067E1B9E89376F72E7EF112F70176B3F2F3BF42652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:43.320{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623ECBF0B69E1C3EC98E7D5862C7A3A8,SHA256=772808341F7D8B9E2417C8659A62946A46B890BE6995CA5A36A76371E97C18C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:44.336{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFC76BB8663B7599538CE03372224E0,SHA256=2B06B49407AE51707FA4F5D98B752A3294863C78EE567FE7DF640AC59C6C7962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:44.422{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F228ABB04A72870AE44A1C791B731CE,SHA256=A7AE45BD6030A728507175B715E7AB353B85E1B7A4B535ECF960B705C502A32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:45.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19134DA942E1FF874127C863A98CEB4E,SHA256=27B5868596D11CDC0248D4E6E643E45D21625E6B8400B60ABC1B3105DE2E88C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:45.383{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D85A104D5CEF2DC609D753E5FF0A9E,SHA256=40EBECA147492EAFE51BD23F7DB295792B4E023BF5EB8166B42391A93EDCB075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:45.204{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=51885EC91F809A33EBD57C7270190E74,SHA256=178C3D76AE382C10F7B36F729D9C4D3DB8253A79F653E4D728FABDC210C3766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:46.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F974FFAD1B3AE333FEA2009920DEF34,SHA256=02F6B6C3379F8B0DD20815081F656479675030CE34310001E9597BF4F07367A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:46.383{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A89D7844594752B46D5726A964CD05,SHA256=EEC8AEB7E5221BAEA99261E0EFEA6AE3139D81713CE401F97860613599135EED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:43.078{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000273600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:45.632{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:47.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7663AB01BAC1A4167B8A126A52605526,SHA256=0AED2A4D9255C2B4ECEC75C568798EEFAE3B526D53257F6C951C91C176C85F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:47.398{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FC5D5B7314EB22B957A5BE284FFFEA,SHA256=ECE5796D9CF7671E91CC8A12350763FC6155E2327F2CD5CC0D66730B6986D4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:48.430{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB7BEAA6B3239DA0C6433D0CF015222,SHA256=57D178C5E0DD5B26F62D528EFC51027484CCBF6F056BE79558D168F422F83704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:48.532{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F272F5CE0850332672B61498A63F3F8,SHA256=48C2286709884F242C6EB7D0E5044A0AFA84FD78FEA2869A8070D9D83CF61069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:49.657{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:49.532{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57733A37B7D84EB2AEBA56C4EB42A6B9,SHA256=0695A51334582C3F223EEE65135BD0D488608AE5FFB427DD98EFB74882D5B620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:49.496{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-120MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:49.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF082C9998C61D612906818434FAFE0,SHA256=0B9744B68B37B68002EEE0F2C25B0B4D0FF4058F1108D3D00EAED9D5B76630DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:49.211{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000273604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:50.563{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9F593F87533B385C1DA8D7BE3001EA,SHA256=A57F20E7A7F9EDBAD667050FE8B24045BCA2EE1DA5FDAF09C6E3CF9187ADED29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:50.510{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:50.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AF7914B6DF6C8AAA3FDC598FE9B3E4,SHA256=FB14B82A8112A6515ACB161CAE67F1B597EAA8376EF12F5993F86B10A356EE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:51.563{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1B6A132AF2E8EE5E58CA907592C722,SHA256=715D8BF414C6442F554E1A2514B961941235DA874021612D10105E710C25FBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:51.477{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674BEA30175996D320C34A179626C329,SHA256=12C245A29DB03B00C522BB56FF5ADFEA1B1A28CE3C5073DCA41D2F232A447CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:52.493{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D435AB6E5B0525B5D530ACC086DF808A,SHA256=93E3CF5D597AC26C126BEF5AE72EE37270FE229C3BB60D6A17047DD3DA1902A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.594{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B53621A8BF18C54D7F8D1DBFAD389A,SHA256=CB2B3A3FD689F7ABF330F6C13325FFA0133CCF354E1BD4CD293717F34A24BC8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.594{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.594{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.594{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6C30-6127-3804-00000000F201}1120C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.454{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6C30-6127-3804-00000000F201}1120C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000273607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:52.466{80A11F3A-6C30-6127-3804-00000000F201}1120C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000232634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:49.110{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000273625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:51.632{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:53.594{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C5E217AB077401C0E7D7F569E094A0,SHA256=9EC2EFCE33B06049C826F5AE8D65E12BD3AD2CD5416D87F6D7C2DC5975C8F39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:53.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C1D34CCCCF2035F0095CF0AD93442F,SHA256=1895C91AE65F50D23717BAAECA71B99F5020A65340AA248A2C7F11E36B436BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:53.469{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC409E8AD88AEA23008233CA3178F98,SHA256=9B34B402ACA4B2B705923D656982E852724810E40D15F6CC19650A9BDCAD366A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:53.469{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A433D5AD0DFE2EA2151C7EB7B6505F8D,SHA256=F03CC7C5EB67C6B20EC6C211F777F7D2A82751474383B7B71475D50419768725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:54.625{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F845D90D30ABD2D1D073C6E10EF84FA9,SHA256=5D3B69413F6FADD5F6AEC4225944E8C223AAF66340A7867793142E89F7A15522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.805{D371C250-6C32-6127-F703-00000000F301}39562684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C32-6127-F703-00000000F301}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6C32-6127-F703-00000000F301}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.618{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C32-6127-F703-00000000F301}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.619{D371C250-6C32-6127-F703-00000000F301}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BD54ABBDDAA211B511B48491D936E3,SHA256=346C42325FF7C0491F5258917498325944A6AC33A0225F7057D8BF24AA9E9222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:55.625{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9EB4D4EECF634AD3D8A82849706C87,SHA256=413BC7A59496AC33D3BD1F255A2497DC771A6DA17915BEFC5E06690FF316CD44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C33-6127-F903-00000000F301}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C33-6127-F903-00000000F301}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C33-6127-F903-00000000F301}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.962{D371C250-6C33-6127-F903-00000000F301}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D43D5A331B7F11597E3AB2E67D0B12,SHA256=92A041ADC409DFD88BDE87A1F52BD643D20BB7956E5D7165164FB04A449D4161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42A8DB5D2AA9DBD4877EC388F8E75A9,SHA256=C456A7E46943EA26BF17A264EBB5858E96D70393AF163313ADC6A18E1C0DC0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0FFD088B2584E798E4FDB067B1162E,SHA256=925DACB76F7D1EF8BE101EC17192215AE5E7549FDFE2A88CCE3F8D90FF00FED5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C33-6127-F803-00000000F301}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C33-6127-F803-00000000F301}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.290{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C33-6127-F803-00000000F301}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.291{D371C250-6C33-6127-F803-00000000F301}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:56.821{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03449FCF345808240148218074A00947,SHA256=F82CC72F526C72899D3917AAC878081A6809CB1420560EE1CDC1C777D96D85EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:56.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5F26AF16E6F3241F468FDC39D48811,SHA256=731188193226052268A082F32C3DDBF48AA7DCECB5238D16FBB1F6CA63C28008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:56.540{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:57.821{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2720E2267E9A77D3ACB7F10FA584EFA,SHA256=3BA665E48A23412D1F7722378990F7631882E12AEE9494EBB250220D1D94FBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:57.688{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E364FD311B73F4C7BD3B6C81A80DEBDD,SHA256=5AA05F2256E6D234642F30821569C383DA8D8484D2C1AD7E5BA6F0010DDE7471,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:54.172{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:57.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D43D5A331B7F11597E3AB2E67D0B12,SHA256=92A041ADC409DFD88BDE87A1F52BD643D20BB7956E5D7165164FB04A449D4161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:58.719{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C211EE051F63754DA7607530F84979,SHA256=FFEBC4A5BA31C3BA7C0B0248C1A9F25CC3CFC26D9B28F893BADC5AF4651BCFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.837{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB54CF46BEFE77DC0017DA8AAE785D46,SHA256=28822F8F76EB6BCB20C1599B310F6A1A58798EA83C670F817D03D1FDD52A6369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.321{D371C250-6C36-6127-FA03-00000000F301}29803144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000232699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:55.500{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000232698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C36-6127-FA03-00000000F301}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6C36-6127-FA03-00000000F301}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.149{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C36-6127-FA03-00000000F301}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:58.150{D371C250-6C36-6127-FA03-00000000F301}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.852{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E5C2964452B3727BC17F34E0B8E2E5,SHA256=69296754D26085357C59BDB00A0EA8F915718B5CA8CABF5902C9A9626B8A0442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:59.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A12C447295BD1CFC6B3CA35DC136D4,SHA256=E8B0192E8D5819779B8F7E683052AF65BA0F7D74A3D2CDE4D9255D1162BA77CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:25:56.804{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.587{D371C250-6C37-6127-FB03-00000000F301}38122936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C37-6127-FB03-00000000F301}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6C37-6127-FB03-00000000F301}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.430{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C37-6127-FB03-00000000F301}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.431{D371C250-6C37-6127-FB03-00000000F301}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.149{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92CAD6D9084D1D4ADB8C175C9EFE4E13,SHA256=8A039B55BDD71FAF21F6EBA1E184324818FCC652898C98AFF04C964BA3B64504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413F1F9CF6879FA2BAC2CFEE4FEA9B67,SHA256=6BE4F63FE706D70A64D3670A487FE62EA48DA763E38697AA76D03ECB93242953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:00.750{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B0A9191055C35871464C7FF8EBE185,SHA256=616C95A5F1E8EECBAD598361DA85E8640B5D6197D198552F40BC57EF1717BAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49117DEC28927BFB404119CE71C82B6E,SHA256=A931C117D45E3846544D5B9926504D9F010DB124EC2FE2707EB8027008D27B32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.243{D371C250-6C38-6127-FC03-00000000F301}32563820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C38-6127-FC03-00000000F301}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C38-6127-FC03-00000000F301}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.102{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C38-6127-FC03-00000000F301}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:00.103{D371C250-6C38-6127-FC03-00000000F301}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:01.884{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856BB086D763A4C55DA68C89A3E59674,SHA256=4EA946DB2B1C8D1ED690AF9845A80B028D62993CEEE056A4D62B02A66EB9B482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:01.782{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D9C63E1912145B3D979EE70744E603,SHA256=465885D1970B03ECE1041FBA0B58BABEEA4483F6B1FB99DC837077595D9F3F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.899{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09618F49957B39BB3C88B5D83A2F0FF8,SHA256=331BA1929F9E23FE8E3398A8F16A88FCAA3249457B3B87D2768D1FB832FAF8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:02.797{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442B822EA2A7C439991E05BA4B516C83,SHA256=829189E7809597ECF99CD86881E0FE26B3BF06BCDCD11BB56D7AFC8C987C0F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:25:59.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C3A-6127-FD03-00000000F301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C3A-6127-FD03-00000000F301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C3A-6127-FD03-00000000F301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:02.009{D371C250-6C3A-6127-FD03-00000000F301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:03.930{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0784FE06AA652223B07095887FF4C5F,SHA256=891FAFA45B850FFD92B14F00A35AD9190EA0E7EA6549478338CE6BB262451F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:03.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDC45ED015754892F2C9B76CDE04427,SHA256=6EE5F4FE809C06AA39D2553F6A16E550AE71102BEED121ED5388E989FBFBF527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:03.024{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3F33FD80C7075425825C2CE65D694E3,SHA256=8CB978F7325CBA9ECC53D12B84D490A332815AEA67026E259FD360C6E11344F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:04.930{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192095139832D9DBEBB4925BD590F3B0,SHA256=216D39DAC8231BC3681E51FBAC3905ED9A1C9BE71726BD76C78688AFD105AE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:04.875{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54D261350C04A70E15526AAFBB5F9C9,SHA256=4C7852CC181F65E8FA2FC5EC4EAC7DF0B3E2A5AB45ED6F0B7E9E0BA5C9808A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:05.946{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AE270F411842FF6525441AD7587DA0,SHA256=958416A09B7F23160700F917883BE5F4D9AEB0BB2B79E3EAF23F00FDB2A49822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.938{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.938{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.938{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.922{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.922{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.922{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.922{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA24A6FADC072A5EA771F20539BA68A,SHA256=25BC9B4E7D09484828862643CCB1DBFF2F5DDBEA7E67604EB3828C8BF9FA0EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:02.711{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.235{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.235{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:05.235{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:06.993{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025679307D3CCF83C0CA84EA314295FD,SHA256=D9321577B2F9D17EB9D25865005711A0B348F243A4918BC7A035045F2F283C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:06.909{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF37D75E3F88E6D68C7EC85F58AD5BD0,SHA256=257AFF399C406157276A9496E53BAA52B8BC287C1245694A225CD6DB0A8C7EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:06.661{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-120MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:07.993{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D502DF51D0980C572F8B6A25848EDF,SHA256=621F05778F233C1F46057A7564775703B223B0DDC025A5A270D18C255FFDE2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:07.923{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2927E1C56884751B1FC0016FAC3B145D,SHA256=C6FDD42D503DCF3E39DD900205B5E41C1C1F43DC4C9E4D7BABD2CE622FC7DAE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:05.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:07.660{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:08.927{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562283451E29747C95471A3F474BF8A3,SHA256=91CA8EA74AE43A85D0AAA743E71A003F7A22A31F10EED0B401B4AC435F1E86DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:08.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53D374CAA58E8096A35A7F0E416BDC55,SHA256=B9694164423B0AFA03B18BFCFD843E59C9CE7D5273615A5210D3175E19FDA4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:09.943{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202C6C9F60F2B95A2D9053143C3BCCF4,SHA256=94F442B665EEE58D8CE51E8F3EE73995745683BA4359C32FBDFCA293ACE605DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:09.024{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6896243048BDC23FF15640E1EBFFB421,SHA256=E2DDF90E156438C5C2B4BD5AE6108C565EAAE01C9456A0DE1BCEFA0A838F9919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:10.958{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8CD17C01213F9C6E43218F4D751061,SHA256=28C7C4C4750C0C3C9755630EA402CB0F6996249C3459276F6DFD33293AC2CCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:10.071{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DA21367FBC2043E90D30944BFF3707,SHA256=989B93B195FA686DEC6F91EB88BDC4F715014F35ED1963382F51D6E66CBA46EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:08.606{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.976{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57FE3DBCEF0DBC189D77F5C7F1A1B0B,SHA256=0B6E60E9BD94A842F15DE095DDAD18F475A9A027F9E70353091DAA14B173638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:11.071{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8AA79943F63F4A6AB0EFE2E94BD7EF,SHA256=ECFF91C38E48B8A0DE08102BC8D0D372D30CB86EA0A4B62B3267335AB08C9F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C43-6127-3904-00000000F201}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C43-6127-3904-00000000F201}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.911{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C43-6127-3904-00000000F201}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:11.912{80A11F3A-6C43-6127-3904-00000000F201}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:12.989{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FF2EECB330E6326723D62A310E8D2A,SHA256=48691288E52362E9E00EF95F57C5E74D2911F839DC48C72C4C48E344AE781065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:12.927{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E805701818901B25041B7089E6C574C5,SHA256=F12EAB793567A1D9ABC581F08E1AA916BDE238079D5776B215AB6CC69EF4ED3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:12.927{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC409E8AD88AEA23008233CA3178F98,SHA256=9B34B402ACA4B2B705923D656982E852724810E40D15F6CC19650A9BDCAD366A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:10.219{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:12.134{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B04BD326D318FF43FEDA778A97CDBE1,SHA256=24EE1CD62A36A7720961FE149A56E077A70329B1BB7FBE2637E26244D6F93EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.802{80A11F3A-6C45-6127-3B04-00000000F201}10004436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C45-6127-3B04-00000000F201}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C45-6127-3B04-00000000F201}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.630{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C45-6127-3B04-00000000F201}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.631{80A11F3A-6C45-6127-3B04-00000000F201}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C45-6127-3A04-00000000F201}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6C45-6127-3A04-00000000F201}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.052{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C45-6127-3A04-00000000F201}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.053{80A11F3A-6C45-6127-3A04-00000000F201}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:13.165{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EF5989C0452697F59EF6B7E860B070,SHA256=E57A9AB125853AE6D25E68EF43027A40E127DD7CD703CBFE47FD29E7264E5AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:14.180{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3828BFD0A6E2634307CDE6A44DBBFC74,SHA256=FE18AD096BFBA0DF306EECB81C96F5606FCE1AF397FCC26499C5FFBBA1485FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:14.099{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E805701818901B25041B7089E6C574C5,SHA256=F12EAB793567A1D9ABC581F08E1AA916BDE238079D5776B215AB6CC69EF4ED3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:14.005{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D653B485B61666BB5A9FD23126F8777,SHA256=296C582133998F2BC19BCCDEECB973FCC9CE76DE7DEF830C184524D78B10F4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:15.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C62FB23E4D2F2667BC7F93EAE566E1,SHA256=4038FA89BB5D45F70E111FFE213922FD3825FA08AE2ED67213C33D4C53D86C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:15.552{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108F0EE2E466BD749E06C050BC2BCC6C,SHA256=95E8D9B9EE628281DDBCD3F8B956DE5CA27E3BBBCEBBB8B7F6C85A35356FEF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:13.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:15.021{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D21FBB766E64A05C263F873366DB0AC,SHA256=85D39C1CA4A7F03FE052FC961F71C0F01D965D11D5FC518502B7494561B7ADC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C48-6127-3C04-00000000F201}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6C48-6127-3C04-00000000F201}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.849{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C48-6127-3C04-00000000F201}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.850{80A11F3A-6C48-6127-3C04-00000000F201}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:14.106{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64014-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:14.106{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64014-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.036{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=32BE0C5DF8E8E2083ECE32A42112E595,SHA256=A136BB5C0248B02BF6C4AF6421D446670304552D54E0AF428A973CFA2C9B6EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:16.036{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B5C8406303AC1B8BAA36A735D92C25,SHA256=1BCC133537EA8D0173ED868C7B3AD204F5593FB9CB796B04DB2E222E3CD09AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:16.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B770B464C5B1D230FD1E66578E12F8,SHA256=3F59BCAD0795A20740F5AD660D41AFF7CB353D80F2F9557336A86B3DFBCAC9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:17.259{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F330EE81BC8B60D71C110BFC02448BF,SHA256=070F78D2DAA45D618D913B1EFF3FFE34DF4C37E48D27A0B2053A5F7237CBE725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.880{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D577891119AE77D00597AF7578C91BB8,SHA256=3B5A2CD739B4D28CF8AB5922CDB961EEE640E41D282909D1FA6BD95DAF8227A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C49-6127-3E04-00000000F201}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C49-6127-3E04-00000000F201}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.849{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C49-6127-3E04-00000000F201}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.850{80A11F3A-6C49-6127-3E04-00000000F201}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.630{80A11F3A-6C49-6127-3D04-00000000F201}45444940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C49-6127-3D04-00000000F201}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C49-6127-3D04-00000000F201}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.349{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C49-6127-3D04-00000000F201}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.350{80A11F3A-6C49-6127-3D04-00000000F201}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.099{80A11F3A-6C48-6127-3C04-00000000F201}4548716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:17.036{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD086594F08421B6EE8D8F3305C14C,SHA256=BC21470EEDFB3DD9D98D68617F581DB7A2BE407321BF30A4D098EE8CFFBABA4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:16.110{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:18.321{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB0E1BBBD9B4D132C36F99D8A8EE9F3,SHA256=473905AF46D9383563BD98C85DA4DDCF909E646A99DA80A483A34F94A15A83A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:18.101{80A11F3A-6C49-6127-3E04-00000000F201}5924308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:18.068{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB6F5A3D4EC4E2A56E5AA1FEA3D1C72,SHA256=A0B1C259E6FFCA664FACF7A9DAA1B2995366627F6381B984E695AA3747DA54B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:19.352{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76173A5C48D75491FF4E064B413C14AB,SHA256=16287E4364054F4135CFF4A780BA5B9EC4B98C867B6F0750EB752FD61BB96640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C4B-6127-3F04-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C4B-6127-3F04-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.505{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C4B-6127-3F04-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.506{80A11F3A-6C4B-6127-3F04-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.083{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CB20740EB433880E140FE6A3FC4BE4,SHA256=A9A8C38717C379655B3226FFC1CC6A18D7C47ABB26676599F1365C2E2990C313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:20.383{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7475EA30944CE9508EED23A588E7DD,SHA256=A9F4DD708507DAD5EC6ED6D2CDD4EDE7B8C83286260F99E1C659F120AFE73532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:20.521{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF45D12B95DC158D8A96E9D721398AA7,SHA256=298DB0739D77847DEF2D63E8F13CE72674DB6C1B0D9B16E2D79EF4FF8F55EE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:20.083{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1655E6602AA3BFFA4171112EB59E3D9B,SHA256=E3AFCFBC040D517C1C784958C4327AC4319403AE29E03ECC58F6DA3D7EC8ECB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:21.399{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE36058ED7A6BC9DB222A3887BFE01F5,SHA256=1F5BBFAA03A97E74A417CF96061D8FA1B2EE84CD813880702C6B9B9C6C3491D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:19.638{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:21.099{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B6976D880A2D240317C3E08C058BB6,SHA256=F2DDF4D715DA7EDD9B99D8C5294719F8218C490D67EF825929641F346FCC9342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:22.415{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE424E2D19E209CD43890D8CFBA81AC6,SHA256=920BB67EE11843AA76464B8354FFCB48EFF5E126695A3AEBF7F4E2125051A5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:22.130{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB411C1F71B2FCD8FC4F810D8FB40056,SHA256=6DB75555A9E026358AF0646DCB75E122626A084E7427EDAF9865211D267AFC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:23.430{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD58A821BD12B11449725DE6BCA914F2,SHA256=9900CB5D930A802F35651A4195806D37E7E5F99D89A40AFEA9028ACCA2D9B718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:23.146{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB84E92C3D72AE9F1CE16E17645EBE8,SHA256=B31D898A2D818764A75A49C900270D24C48568AE5C90FF784C7A7E20A5675A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:22.110{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:24.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863314301165B4F5A3DA0E3FF358801E,SHA256=67702D1A801CCED6166A6676419D59C94AB53D1811AEA363DD530ED35D64FF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:24.161{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92346FC40993C9E538ED8B951A7C2CA,SHA256=08209552CAC999E796D1770BEBF802F9793E07592117657233CBAB263BBD4158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:25.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B194EA28D6DB9FD643EF74AC477EC5BF,SHA256=4AB7CD1FA328D27E212A79A03FB8E7B54B0BDD975227CECE02B1D084CFC07003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:25.193{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96623C45054C4A47DEC1F9B801D58AC,SHA256=E1F4DA952999D592781B987A230E51B4DA500161E51A31B706950E87F7A342FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:26.477{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D45F6AB2614273B96FF25D54D0504BC,SHA256=D412BC2926FA59211795D5532C3ABA5CC2CCEADB8F3710EB2BC2698DBC32894B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:26.208{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7D820279638073707936650133D58C,SHA256=CB7AC9DBACC1F3EAE1E5B7BCFE2BD8B90FD15AB1691A3EF90330BA1E1F602C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:27.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81639F47D6BC3B4184789B47AD00914B,SHA256=B291270188BBC9289EFD82862E5402F64B2C83F97082BD057BD962CDE0A5F58B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:25.621{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:27.224{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFFB2B46DA1BB76CCA3B67FE5A8278B,SHA256=CF939860327B548C44646E76FBBC364C12CE541FE08BDAAA61B430BCBF6E8D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:28.633{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7C15CB1E0AFB01AC219A2EC4C808F1,SHA256=E684A2A2E39A001B918FB2F396917D1C540390473CB6C8905703A43C1E327DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:28.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B4B9791B901FA3F2A56F8AEA5A9C5,SHA256=91E606693C134AB400DA2E30E1081DDEC3E51CD01A964A96DC9B2411B61C60FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:29.665{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558671FF3404E01347753D3114DBC7A9,SHA256=618B0443A60F05B3E53C7337E34D2AED079B2C9E373359EA3CD98A8035D93B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:29.271{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D362A71DEBD14B2303ACAC58789837B,SHA256=33156D698AB844698A46EA39D061054B25C3A7A3F54F04B77F292885D61ACFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:30.680{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481623583F79222CCF486EE6370BFE53,SHA256=3351000186292D42B0AEB60674E0436E49A08FC5BAA9C98751359CA00C0D9FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:30.333{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF3A4A7964F3D8437627A24535992A,SHA256=8D2B1B4FAF1E184ACCBDC6EAA8E90B4317D9AF3DDD74610E1100ACC411AC50C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:27.204{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:31.680{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4E47DB84B880109D6D01AFD1107CC7,SHA256=9FE3BC00720BE7F5E8671E07457AEAC03FE767202BE612F1283D6599AAD22B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:31.380{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1664133BEF55A0A7FEED7F7AC1E1792D,SHA256=4A52953B03E70D41992EC52F76FD5DCCCBE4916CBA41BAADBE7FB3062F8E0E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:32.680{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B2696E0E2250E460C8DFB9DF123EE1,SHA256=E6ACFC2F1341C904CB8DC19FD4BC2A419DBD3EEB0E01DC96B6D4C418DBC74B81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:30.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:32.458{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4ACE6E6F8B3208F191B19446712660,SHA256=FC42D00863D83EB7279919D83B72CD9365ED078A72DBD1C3484E7E8FEA6CA8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:33.696{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5211B64578F8F367CC7DD81456FD351,SHA256=8BC91A3D2DF24BEF1A1A3A137CFE84B50731C5F3466BF21FE1D554C7F3D971FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:33.474{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F8731882CC76B0C449C6178DB7A913,SHA256=C8F84F4F2B9F14D38FC06315164134B6F54DE23A5C8FD3EF6F46F46A01870DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:34.712{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B962871B14BD7909240AB08C9C2B2E,SHA256=1A1730AED6FC0F97D515C88563EA2C4F56272C0880183278DFE708DFAECA32D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:34.489{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDCC085F8EF79326D5C4BB6E392E079,SHA256=16F5C9EFB9A5C5271C393E45A0C4D862E22D8EA7FA12647DB47F689CF42C203B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:35.712{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3A3F21431115955886F0ED5800A2CA,SHA256=875C9535E906B880D511E8788B5EA171793D17AD8145EA4DD1644321123D6E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:35.505{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597BE45DC675AF0FD72B5CBBFBF30F9B,SHA256=A90D9D1542FA182F30510814CF543613DDB9C5DAF7875BF8B857A6DD651F02BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:36.727{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5150977034BBC571670BEF56B623789,SHA256=333D8F20CCADD4C76E6AEF190B8F868873FB5F3106F799B76FC6F0BFF9106D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:36.521{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA1D61AC595D79D888AE381ABABDF9A,SHA256=C1DB3EF3448B4AA07EA66607142C0175E5CB3B96F66C69509F5FE6C31CC686A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:33.157{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:37.743{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341807DE57A681DCE24BEA16B9DFD900,SHA256=49C6FB6DA07AC044C3E257559698F6CF1DE00DB318F713431BE9D89FC2102133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:35.793{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:37.552{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69986BB62786D55262A12DF304F860A0,SHA256=EBFAAA582918D8FE297B88EBF956F13F3FBAF2E442A16293F58ED609A1C14A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:38.758{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9028C6205EB4AE7A82A1E65BC274D8D0,SHA256=01F64A037C2BB8042C0C20D6CF4B0123926BCD72BCBC15781C4CD68D5A136DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:38.583{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2B8E85EE4EB491B3A53F04A7C929D3,SHA256=0D4E99D1B8CD572FB4EB43F3B25D3C98474A6B16AB8BB01B5D6C73EBF18199F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:39.758{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B51EC61E6A3F9254D6BC1473D14F8E,SHA256=6D2A4CA81C9DEBBA8BEE90A359AABC2CE1EDDCB2F4CBABE533D874A32CFC9FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:39.599{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D3E370D2CD57BB2434C7F698727D3A,SHA256=EC34E192F77B020530F9317258B583E46647BB867FA2268184C4B0B96B936667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:40.758{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA462C451FFA45E08417E0ED0869536,SHA256=7C75A2F808F9D7CDB9ECD7EB68FD126E5C358E983C7CE93685947A3356477CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:40.614{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B5335A1E554A1D7D02C2A24FEFF4B1,SHA256=6E05FAE24564205A9D0B33A27ED619ACDAD072E9401C0789C237325006056541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:41.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82754DB7517A83515EC5E97D886EF041,SHA256=DFDF7AF09610EC4C7BF9837FCB0E1CC0048E8E1A8B30E9BD161457AD1C0965AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:41.646{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8EEF79763E7707B230A670C355A311,SHA256=5CB1EA859BD9538830F0E3F2FAB549415601B0F32FBF7A3C393E8845CF59843E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:39.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:42.677{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C967F841BE5E5E388D0BF5B5870F2C,SHA256=111C51470336E5FB2F8B2E9864EC25D73D2D7D2CF1A1A1321F64634FF87B0B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:42.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F9FF256E1B72DBA3C545A209A0FC8D,SHA256=6496D5FBFAE5B0720660FFB383AA55D1F73579621C2F7033E71B4B78920F4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:43.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665531EC3E027F8AB60389E99B1B23D5,SHA256=3778120AC61CD4491BC3482AE14712508CD6FFA31FE084F8CF5F02EFC3ECC9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:43.708{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996DDB825FD77B45FD38FE277ABDD103,SHA256=3C773F4FD3812E3A86CACF2A5C7034DEC027E0DE20265E06B7B4BA7C75899127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:43.446{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6467EED75374D65575866DB1C05C18BC,SHA256=68E3BAD13A36DD6345BF5CFB8EEE0C06DE90B51C2C6EC53C4BE7308926A15E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:44.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3C4A5A3D3C1ABA6925831EEBAF3922,SHA256=6D12A5D20FFE550B0065E0165F488425C7F0FB576CF81655F23200B9A9784AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:44.724{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E79C04C09F5C26608EF5E256EAA4C9,SHA256=E24A8E122FDDF9B6972606C3F86FD6A8BA3E68A5EE0FED5A20E60233A356A12D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:41.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:45.805{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF85A7D58525352834CC66383820192B,SHA256=74E36308C2BE328881DADE5E2436A7FBA1559FB950E2350B7E12BAAAF71ED677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:45.771{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622E798C393D0DFE2219689833B3C789,SHA256=36FA4D5F0BD735B5F68D9C0BCED2D74BB5C9E8AFC2BED88EB5D59209216D936E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:45.208{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=543290AD800B142FF18CEEB9500AD313,SHA256=EBF975E351E5F3570709D2C7477ACC26ED208E00DEFB9E7B4143097B6CD2432A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:46.822{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04570AF345EE522D43FC6F27DFCCA33E,SHA256=3A5129D8179B81B9F1A37BC5E7EE4257D8BE4299E6078C4378ED9DFAECF71F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:46.802{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68476E7F19C029EA60D851CE8AEF5F78,SHA256=7544818FF66FA23B28D5B3B180DADBF35FDA8EC7C328906349CDB8987C168717,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000273778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000273777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007297d0) 13241300x8000000000000000273776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5c-0x7d2c4f1a) 13241300x8000000000000000273775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0xdef0b71a) 13241300x8000000000000000273774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6d-0x40b51f1a) 13241300x8000000000000000273773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000273772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007297d0) 13241300x8000000000000000273771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5c-0x7d2c4f1a) 13241300x8000000000000000273770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0xdef0b71a) 13241300x8000000000000000273769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:26:46.677{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6d-0x40b51f1a) 23542300x8000000000000000232803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:47.869{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15276AD91F6B84B3078130D34AD1695,SHA256=31E2B6F80AB3B6C12293F2ECB2FF63FC5F45608D79D5B17B86EB542C6A344E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:47.817{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D6CD2B9886482BF851B66E2B76DFFA,SHA256=B0936248A3B4FB0ED1A506AFADC7B8ADEB96D77FDFAA31768304BA065FE9C171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:45.063{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:48.900{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE6E7838DB8F6A1041C2B047ED45C3A,SHA256=45EE7E7DDD6E9CA1E4438853CE98009C7075C2C2108CD17ECEA5D3B884311B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:48.833{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1A1B9F0F7AA3071F595B0E53297AAF,SHA256=4BCEC02FC0050980A6EC902B348F360EFE97DE55FF3AEE4BB730E8A5B505A426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:49.932{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5243B39848C7807F98A8DCFBB0EE0E6,SHA256=2F042DAB4ACA43640E0A0ECF25F0DCBE9C77095DB8EE32119A580AF782F1CF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:49.849{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34359353ED8B9248BA3502E3D165C91C,SHA256=8EA06816B5E8827633747036D3BE891ED89C13BBC8F011830735533E78B914E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:49.677{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:47.621{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:50.932{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CA0E5031824C656E94696017F2C35E,SHA256=AE755B179A50B3967C6031FF2E368F76973D1FE452877FDEC954AF73EF2BDEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:50.864{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F466CE7C6BDC4C2348DB8CFBD28E2D8,SHA256=B9167BBAF55F165259E33AE894782C6587A655E56BE60BB9C510B775ED854657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:51.994{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240774E03700439EE306DDDDF174B79B,SHA256=A57BDC2FCEE2EC30678634D985136894DF69F876EBD4E19EE6147277FC932F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:51.864{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA62679A9B786E08325F723F541C624,SHA256=10C9AC232497998846F064047CC142A9E386AD0C2C3907746042DB5CC44A01D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:51.029{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-121MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:49.231{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000232810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:52.994{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B60E6421DC2EBD3D961D70ED82CF8D6,SHA256=910C2F4132893FBCECF2A358B9D392E7FA2DBB465D9415733560E902A88BCAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:52.880{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221B8BA60225835EE28CB9317B71B8E0,SHA256=15D79851495E4F42EF70BC9469DE84108C6A20A94E363F4538B45673A25F0006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:52.042{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:53.911{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12F3BE4721DED16884FC8DB3559E144,SHA256=276776A08195E0C5BD23C9B1D8A2E888A502B6C9CCD407FB8327A21E33A46F25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:51.047{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:54.958{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA9486EC50B831625731ED89F4FB4DA,SHA256=310B8A8B7865CC44896F5719A579B3DD9F216E589ECDDEF007C52D36F898D896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C6E-6127-FE03-00000000F301}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6C6E-6127-FE03-00000000F301}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.634{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C6E-6127-FE03-00000000F301}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.635{D371C250-6C6E-6127-FE03-00000000F301}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:54.041{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AE6BEBB60C67C2D8D9B9480E19DD0E,SHA256=9B17745D04C306EB85C83488321E5B58B753B5B34A08B1F6E68EFD420ADE1938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:52.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.931{D371C250-6C6F-6127-0004-00000000F301}30402428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.853{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD0BCDCAC79712726E5CDD3A2B482FE8,SHA256=EBBBEF96BCF94C385A9C7F8B6CE50B3BF15DBAC8580998082043EF93F302575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.853{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76F1B01D34DDF0A80AA0AB45ABD0C798,SHA256=47B65258D81022C0E201567810D297F8D5E8AEF3C8E71C36B4DBEF6A9EB9FAF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C6F-6127-0004-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C6F-6127-0004-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.806{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C6F-6127-0004-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.807{D371C250-6C6F-6127-0004-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000232839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C6F-6127-FF03-00000000F301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6C6F-6127-FF03-00000000F301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.134{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C6F-6127-FF03-00000000F301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.135{D371C250-6C6F-6127-FF03-00000000F301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.072{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8529E081BF7F91305C4B6AA6C1025217,SHA256=DA30D94A34B5DD2EC6C4E53FEB534BA84849138EEF588DD70447BFB9CBAE2B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:56.005{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E68FA3C177AF1C58766C25D504807BD,SHA256=C81A0D76AA7DB9EC15F1197996A4DD952BD4E2D32D481EC610FAE1D2D645055E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:56.556{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:56.166{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB1060B642158EBD411333781073960,SHA256=36991BCDC93E3C5159CDC8C5953B6170D967F9FC9BCD9744E2A060B6A3B9A145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:55.518{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000232858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:57.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B41011C7B4F83E1B0805E0EBD42BF04,SHA256=FD72B97FDF81DE498164D2494670082DB5427CEC6E4510310CF92A72683C3801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:57.020{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9469648D92EF631044C00B2832DE7F,SHA256=E77686D94A8FB90960DE8EE696F4336FAE36A734987563F0ACD40DD4D1673C46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:56.096{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000232874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.337{D371C250-6C72-6127-0104-00000000F301}24401444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.212{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E58EB82E6778E3E0EEA27BB4DCFF0E,SHA256=94578D80827414C8C6BCADBE201A0F37369C20ABE5AF4093A2129122AD05DA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:58.067{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD3DF01DFDC25CFE9C8C28C3897E7C3,SHA256=BE717C88F34EDF591268838AE015421A2015EA83E4DB700D555C129928574741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C72-6127-0104-00000000F301}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6C72-6127-0104-00000000F301}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C72-6127-0104-00000000F301}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:58.166{D371C250-6C72-6127-0104-00000000F301}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000232891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.900{D371C250-6C73-6127-0204-00000000F301}24003384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C73-6127-0204-00000000F301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232889Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232888Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232887Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232886Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232885Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232884Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232883Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232882Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232881Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232880Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6C73-6127-0204-00000000F301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232879Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.447{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C73-6127-0204-00000000F301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232878Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.448{D371C250-6C73-6127-0204-00000000F301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C7AE617804C75469DB5E05F6A60B43,SHA256=3B93B068A993EC4017DEBA608396535BBDC401478623E7F72AAC1960C69F3126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:59.130{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5FD7A770477C6DAA45E3E5C59880DD,SHA256=455F157EFFFF66369AF9E7E2453C712A47C45CCC4FB14BB4AD2A83460D37BFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:26:59.166{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD0BCDCAC79712726E5CDD3A2B482FE8,SHA256=EBBBEF96BCF94C385A9C7F8B6CE50B3BF15DBAC8580998082043EF93F302575A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:26:58.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:00.286{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A428DDC3C27961A3872828CDE37F7C,SHA256=4D15F9913B1A99C8EE419E789B74BD4147854390E8F102B32569183E6BF98B8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.494{D371C250-6C74-6127-0304-00000000F301}3940860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.478{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B313F16CFD6FE6EF499D7F9CB4027408,SHA256=2AAAAB49F8C4B6B4EC79EE0C8526EAF2E3E52B825EF3AE4E98B304174469AEFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C74-6127-0304-00000000F301}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232903Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6C74-6127-0304-00000000F301}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.337{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C74-6127-0304-00000000F301}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.338{D371C250-6C74-6127-0304-00000000F301}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:00.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926089CD967C28655ADA54C9E4EAACC5,SHA256=330D417125C2E1B8835AF969D957DA93C05E44BEFF0C99DACC6EE46ED516F91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:01.302{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B311F8112CA144B8BACCB039CA85F4C,SHA256=891B2174CA15B0C2889AEB0FF133E4B5CB2D8EF2B1B225AFC200ACA229E826E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:01.259{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB84F6B87E8105395179D720A812F701,SHA256=6688E5D739D39A6B8FA1760D900CB520B96297F17D862F9805C78B5CBC97CB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:02.333{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A5710F5FFE6114CD600C0D2BCC7095,SHA256=DE6854D4FA60FF8201598A1EC70CC8B620F70724BEA3615FE01A96DC380A78AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.275{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50E678D83DC1BB0503DD4731C81FC70,SHA256=AE0D04DE35B41CC388BC68DE6DA369AFEDEB801D89C031FF01484AA11625DB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6C76-6127-0404-00000000F301}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6C76-6127-0404-00000000F301}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.009{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6C76-6127-0404-00000000F301}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.010{D371C250-6C76-6127-0404-00000000F301}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:03.291{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA7AD22A3924D72220282E7D6E0EB2C,SHA256=2D0B3023C49E79B03355AD806671E20DDA409032CF1DE28DAFCF3176860F9BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:03.364{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39409E66B1CC1A3E8A6BC863AB5BFCB5,SHA256=FDFC5D14F68EFCD4032ECA91546BDA1983E1C971541008911DA2B7F29916AE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:03.025{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9ED3EF683E723E4A2C913B2FDFA2AA6,SHA256=ED61DD907EF3A5E20789099317C584D98649910F52391D293EF268BC253E7838,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:02.033{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:04.322{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A99A21A4274EF5B47ABF3D8F617E0DC,SHA256=4626F8ED75E3EFEF2483751A055D7AFD3AE27D92FBACA15A8BF3AADAFEE812A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:04.381{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03552BE880265CDD881DD8BBB7843FDF,SHA256=F2CC6C63FDE48077112318333F22003C7CF476AF94B1ACA55DFA6B975F339B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:05.322{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DAF576C60CB86AE55BFA4EC445EA22,SHA256=D8AB30A7F8935BEE02A56DD46B416250B1AC2FE3A6278EA85B8C9F841C3BC15E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:03.810{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:05.397{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F48A84E6C6AD6CD2B6CE29385E800AA,SHA256=B226769468A581C2358098DC364059CB78194D5C0ED91EAA630FF29AEA95536C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:06.369{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C9FA6C0C89210D9EA9A6110018A2AD,SHA256=6EAF9E4357C2B05FCAC7BD97E698FB2B17DD91A03292679FABAA2163E6F2C6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:06.412{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F81F738248D4D7107A40AE0BB753175,SHA256=36FDECAD3FACBD2FA9560CF989412C08307A05163BCF269AEAA4F468F1BD7409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:07.400{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73D8A998D7F6E7F10574451C78C642F,SHA256=A205902D765AC655D742DA9138E302B547D59DF5FE5615721B827DBE6B0B0E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:07.428{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F496013F139D4736176A90AFAFB20A6,SHA256=EF60A2D56E269AECA16A53FC1DB650CDA572EFF40BF588881B282C318673CCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:08.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872A545806BA08692709072E8298B115,SHA256=56C2BC1085732B69C1E112E96AA633AA0B86E945BFFEA020F797BAC7D029502B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:08.432{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B1AA20468EE1FFD17885B4CDD63B5C,SHA256=5D8EF924635283EFAE2613A0B3D7BE42AAA9A2369F67086260BF454CDE0B9BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:08.183{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-121MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:09.447{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECED3A15C4281FF6C7CDF0F79DA62ACC,SHA256=87FFD108C3A59288E8595C59B12C194ACC0F6D2FD5F86089B025D45E4181E930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:09.435{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC105C31D1F5420A7D724E9BE28087B,SHA256=117041DAA1BFB8269BE0CCC215EBB67D65CCDC015B226C1A499F990C266A9292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:09.195{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:10.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B196B36C33A14ABDC52B0AC95DC90A,SHA256=43A7EF7473DB131AF470F8FE68EA3A35FD488E52D0EADD8D15FAF2029292B9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:10.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDA5DBB16E530055A891EED532065B,SHA256=833D1857C36B23517BBC493E78B2D1B493C30F2A6267A60CF0ED304304BE27A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:09.665{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C7F-6127-4004-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C7F-6127-4004-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.876{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C7F-6127-4004-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.877{80A11F3A-6C7F-6127-4004-00000000F201}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:11.486{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F33D63369B457D66E201D32843CB22,SHA256=7D0DE07B57D1B2AE4BCC23F285A9582809546E7805BFB28265EC212F722D9F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:11.525{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DCA43F33B4CE67544DC64BE5CF1409,SHA256=FE0ED009C228C92879BF058CE7528EFED6EFD4BD1B516B5DEE100753B89C87AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:08.065{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:12.525{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2388248E7E088AEE68A8C8AFF404F14,SHA256=9D48C6CEAE6459995BA50342B6F40DA0686E20A160AAB6109A3A9D34FA6170BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:12.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAFB88C50C6AE2D4E314FFEA20D2F1B2,SHA256=C0A996EBE4CFC605DEFFE77DDADB27451E6D2CA11271974E4D669B3D2C31E1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:12.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88FBD3829D15C343CEE593B306E473EF,SHA256=EA36EECB1A6081ABD3C634ABE0C4E42493ED222DCB3BD59CA5E2035FE472C9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:12.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB4D046DECED53723BB6C95C6E852AB,SHA256=E47C5344E10EE0D90720BC3C3E21920449C0BBB387655552BA42802C0E6485EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:13.556{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8453BCA75749149AB713CD490DF19609,SHA256=E86EB316E6C56838D96B5DBF289ADB24E26A96B0424FE37A0C92C19880FCC943,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.876{80A11F3A-6C81-6127-4204-00000000F201}34364756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035357A6072A017FC5AC02283805DF8E,SHA256=F07AC5D6002CA62DDDBA5793B3A043EE4B964B07FCD2BF609B4032265C7E1F4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C81-6127-4204-00000000F201}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C81-6127-4204-00000000F201}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.533{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C81-6127-4204-00000000F201}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.534{80A11F3A-6C81-6127-4204-00000000F201}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C81-6127-4104-00000000F201}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C81-6127-4104-00000000F201}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.017{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C81-6127-4104-00000000F201}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:13.018{80A11F3A-6C81-6127-4104-00000000F201}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:14.556{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FC92F5AA6E4B1B028487A40CC96646,SHA256=E3BBC5F575F760BBC707DDC0F678E5FA343B4F1A9BD3C4DBCB7F89549CEFAF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:14.564{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D778975E960B4A66D20910E74AC4ECFE,SHA256=75E72976A05ADADAAE11C16AB04235BE8446627EEB81BBD576C0535788B63B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:14.033{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAFB88C50C6AE2D4E314FFEA20D2F1B2,SHA256=C0A996EBE4CFC605DEFFE77DDADB27451E6D2CA11271974E4D669B3D2C31E1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:15.634{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AF5528541E5291926AA04CB75123D8,SHA256=BDBCA64752DA9F7B0ADEDAF69E76B86B1C1CD40CB359414835E67BB21ECB5E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:15.673{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA481FAE6D1135A9A9C70D1F58848C2F,SHA256=D2D2DB318906A900E9758CC529935D144EACE7CF8EE6A8D55748F877F63545A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:15.579{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DD0ED5AE181B638A8892B762934C45,SHA256=9DE43BA61F76CD5F0897ABA0819A16B8A273C24650E390B14D24FC83E2AC97F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C84-6127-4304-00000000F201}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6C84-6127-4304-00000000F201}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.876{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C84-6127-4304-00000000F201}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.877{80A11F3A-6C84-6127-4304-00000000F201}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:16.689{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53DF0B39D248323EE42959CA494B11E,SHA256=6A0BC1513B3A825D50AF77432F47504646DF4020FC2FF6D7E7E56CA2FAD44AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:16.634{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F260020C51F9CE640E8F150F77B3E1E1,SHA256=3D8D2B52D42C08303AFA57286648A820EF46B955C98EE784F3E96CADBE2EC2B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:14.118{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64026-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:14.118{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64026-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.954{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1833E2E263BBCDC3F03331A292913EA1,SHA256=5FCCB67ADFCC9A01651250DD0D3803BB38B35BBA12050D0EA5D788242CAF12CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.720{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E8629FD7314113BFC4C153C26C1FC3,SHA256=AB4C59EACB4F5A19728EF4A371CC16EB4EC3B9D577253A0270470BB7A317C92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:17.697{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEC8D99C6041C8A00A37142E51699A4,SHA256=7F47C7A232F008CE8747BB66DC986FAACEEDDF277A604DF47F239C0D74B359AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.595{80A11F3A-6C85-6127-4404-00000000F201}3402016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C85-6127-4404-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C85-6127-4404-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.392{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C85-6127-4404-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.393{80A11F3A-6C85-6127-4404-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:14.680{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:17.095{80A11F3A-6C84-6127-4304-00000000F201}29682760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000232940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:14.018{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:18.728{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BAC9E96E22CF953D5554E045081E84,SHA256=AA22CB45B81491AE1D5A22303F1932C988B8672C5994359BC7D60F9673D1BE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.736{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA00E34F6D8DF120C207E9BA4FE7403,SHA256=87A5175B88A0D83F17491E7D9D11E6EDFCCE5A3CD04CF35BB3DF348DBD224368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.267{80A11F3A-6C86-6127-4504-00000000F201}36524880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C86-6127-4504-00000000F201}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6C86-6127-4504-00000000F201}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.033{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C86-6127-4504-00000000F201}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:18.034{80A11F3A-6C86-6127-4504-00000000F201}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:19.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A498D678B9C5E70E4432CF093774DB3,SHA256=31F07DE6F8BB20A2664450D77962DA0C5E9E9A6A10137808A31AA013C9B0EDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.767{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A1B6962E0FA2A9E55884F635FC0FD3,SHA256=8C2F716974FF6A10421609395FA4615E3FB576F10F9E925F7F12FF68E0C34C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6C87-6127-4604-00000000F201}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6C87-6127-4604-00000000F201}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.517{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6C87-6127-4604-00000000F201}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.518{80A11F3A-6C87-6127-4604-00000000F201}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:19.040{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47B4FDD9C7FFBE768F197BD1BA7CCDD7,SHA256=DB8DDE89F3CC1C9C172E70BE8ED4B506D26D4F7704F077EBF4C0043039B725A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:20.775{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F67DFED83EB7B7C708E90C53B72D21C,SHA256=F8A7B13BAAE17148924869907B70ED1765999F29E998E8C261B7BB10C5C2E362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:20.767{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722BD35E20FCCF18E7CA80F6FE8C219B,SHA256=8A400BB1D28C6ACD87264E792F9CA4214171D6F4722A5D8A73507CC7092E9F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:20.564{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18BA25E8A347C70391DCAA3E73B00EF,SHA256=E7FB0550A46C3E668F9EF4C2080F773D64B018F9A9754F82551307E17C943604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:21.798{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1082A921CAC289B7E5F0620C367AD94F,SHA256=7D68D94DE515C1D3C97ACEA13647FFF4911CEDE23F5D9779BEA590182A4C556F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:21.822{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4F16EDFB9E6D750D84F67DC1B48686,SHA256=643F2ACF633BF95885FD6BFE916687EFF44A14AF9FBA789230F3005830034352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:22.814{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC568876067D62ADEA3729C7067306D7,SHA256=840FCB6FA0D42308FDBA0307803094B25EB0AF87BD6F0B596A8B2DC5D59F6EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:22.869{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400337584294076D135F2C15BCA8AC65,SHA256=9AF5F00436D21C16FDC7179E8AF4B5DBF8C91D52792CE1D1AEDDE4F7C3730781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:19.127{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:23.900{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E2F30E2E7CD0968B9307DC1CF0B723,SHA256=3BD9166AF77E806482140467FC0E8D4115721B4F3D212182A63043CE9E5E43A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:23.876{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56768921D3E312C09CA5C0A1C7BF71D8,SHA256=7BEC816FC206D5494E4B296D7BE0E39307F91E2BF84FD34477CAF92125527DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:20.649{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:24.962{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E69F7D5FCDE4437FB0F6F54828C8311,SHA256=ADB01CF69CF2221A31163F334FE8211AAC50F0AEF130B48A39CE124E4A484841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:24.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D96D38A4A7A2C03FB076F817CCB553F,SHA256=4156357810536D89C67203C0D7C8B906B517E07CEDA5901E867D88CA5B054CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:25.908{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D9F945E2AE7DD26B9000B54DB9118D,SHA256=F9ECA595D2026A13615E4C7B5196A27639C138CDCBC76D8034A888B3844E6FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:25.978{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC1C339CC72F33739B3E8A7A88C6C53,SHA256=DCCFCF93CE3733C3E29CBDDBA186838B9C1A4B2BC272AB828E63788847F79E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:26.923{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9B4D2B05F9DEBBC07078D69CA40A63,SHA256=E3D32B67CBE4933A8CDFCFF776CE475FC4F710E9281FBDD196B019A11E68426F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:26.978{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220CB854C64E31FDEC2805EA6A71B896,SHA256=1182C29352999E0C8C5083D62DA0D719E3BD3CDE7BB9B654CAB60DCF20283A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:27.970{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29B9867B1481FC17695DB81A3F6F893,SHA256=CC10CC7A73B47AE42BDECD3CC59CDA775E91D1BDF15FB167FEE5CA548E18C088,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:25.664{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000232952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:24.190{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:28.056{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4EA39EF0683DE49D9CB581FF6FB5706,SHA256=164893E50B2C76E9000C2F8F3BC4BFED98A783DCF2DE4A84DCB4C0D138399B70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:28.532{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000232954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:29.072{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE3085797A9C92E6F5CA11699D6FC5A,SHA256=CC506E0F205D649B21D60688C7A85C3C40452AF6A3E86AD600F682ABE9980523,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000273911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:27:29.907{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000273910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:27:29.907{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000273909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:27:29.907{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 354300x8000000000000000273908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:28.004{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local64031-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:28.004{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64031-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:27.996{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64030-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:27.996{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64030-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000273904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55AFE34B63F88760B2A827A02A864D0E,SHA256=873C9A40F3A8D3C55E100A30A4DC6EADAB64194334D47B7AA7592C205C777D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B03F318BD7879EE9EA22E84AE5FD1D9,SHA256=218157C51E672CA7B8C2DFEBB1F06395CE73D5DF3884984B3421EAC06D969B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.033{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66968E0C083ECE4D3783F0424C9E2A2A,SHA256=B3B8FC7A0B5B0864A8CE229277436AEF7797CB002CF72995FFABBD7DF3802D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:30.072{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BFD6645255CBBA6639E76931456A10,SHA256=4A172F542C34367842E96C372721E37017F8FF121B5935366DAEAF7CECDE4EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:30.970{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55AFE34B63F88760B2A827A02A864D0E,SHA256=873C9A40F3A8D3C55E100A30A4DC6EADAB64194334D47B7AA7592C205C777D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.493{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64034-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.493{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64034-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.478{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64033-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.478{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64033-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:28.106{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64032-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000273913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:28.106{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64032-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x8000000000000000273912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:30.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A48CE4DDF27B8E4AB8199080620125E,SHA256=A435511FD256DB6C6EF28C1156DC276CC36EB437867256DC359BFD03AF1B1AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.502{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64035-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:29.502{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64035-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000273920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:31.095{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9119304E78537FB42EFC555DC2B034,SHA256=B8C645BE3BD487BAE8537B8DB9326D31F0EF8A0C68593FE1CA060AB78EF2002A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:31.087{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01CAEC935D6CA50BF33240605099C26,SHA256=51BFBD72D70D6BCFDC1948208ECD73574D214ECF6A03974972C8129752815766,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:30.127{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:32.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01ED05D13DF9FFA85458F35B48851AA4,SHA256=54F2E0EFA5F16F661207CBBC9C17F7390A0EF6FBA614337FCEB6EE69D47AEFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:32.126{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3D1270EAE1406096EB82E61D7103B,SHA256=A99126145529CEECBFC4B8982598DA897E974AB82EA5CCDC82A6A3CEDFD53947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:33.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30DE373EC92451DE69D4C08C0724B81,SHA256=F5467F9B3178DB82252F20342A0AB6886BE68832FB4A403793B41B73CE3C9D82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:30.680{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:33.130{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF3E8C2E9A98770E93FF1F9E420E343,SHA256=3A36AAABE509407358E9545A043A1BE002EB1A6E6EAF600910256A6E5A6F042A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:34.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F27FA0C6EFA61C15DAA82BD4B87FA4,SHA256=B3F1FF9A1AF768A37631D31716796E3CBB74D5EA15035810AC034223116C6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:34.157{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601C73F3D683758503A97A67EA0D7DC5,SHA256=EF2FA65FF90F0404A501E5A0685CB013AC195D28EE969C6FD125BE700A758649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:35.173{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC0D527DC94BAE4A807B8B192A106B4,SHA256=B7267343BB0BF249B11A6EA1C165BCEBC79B554BD06881273254D1EF8CA184C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:35.119{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF16D06C0524370AB186D9F8792C9C90,SHA256=00024FEAC9DA1CB797B663AFB3B6A0919794252F283E3194F5CDB19E11868538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:36.134{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0780617472ED1A5F1CBE6A13AF3E8E,SHA256=4A973005FE14DE321FB33D5050579504C805DA66CE92C5A9B2C70A53B393D229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:36.189{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1357AD5C368EDB1F96AD2DA872DC5F,SHA256=AF38D0C9D82C9A583BD78158E07972190B9338AF693E4006C2B915C202B49923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:35.205{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:37.150{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613C120F6C221A1C494EF148A1ABCDAE,SHA256=0EB59A4106A4E9B496EF80C56BC246CF47945C5C5ECAFD33DDD74CE0DB206CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:37.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52480484ECC6911DBC4BA8F4825837D1,SHA256=26B71EAA5989EA71FFACBE553152D9CCA2DC78BA5FA633CDC9C1C65DEA761CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:38.150{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C8ADD0144CC0D747897D327DCA81EF,SHA256=D68A485ECEBE6EFA26EFE6FBCE19C05BA1B09DB571F8EED90889F8AD7A48B5D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:36.649{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.345{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:38.236{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AB8842E01C62263E2069C56C4778B9,SHA256=5A92B9C7D29C980212B0C296564C601E1331B8ED3B5848E57FC36D6028A9395C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:39.532{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1A730ED13C733E58B474D8DF103362,SHA256=38EC310271901EFD619812ED6C9DBC34719C58BC8C273C593E5FC770C2D2C204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:39.150{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A0EFB0DB28FBEC1E1AA1A87B687A91,SHA256=96BF1E6F6790648C7799275FBC608BC579A6EB655529E4F021759A7C924F6C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:40.626{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A4D7041A38C80B257689D249F2D5AD,SHA256=69602675E40A32AD5486BCDFFD7D15256893F56D0FA42A7183A6179125B3A98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:40.626{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6D9B1A66B43631CC85AE3C55E80DCB,SHA256=F7CCC7273CE2A58009428C07680C6F9B32E47A80DFF5F4578B4E3E19EBAD0804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:40.626{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D965B884B864786CCCCBEC7D790C2C98,SHA256=5C32F300799015A182DF73EE74703A026105655C228C3695F54940651A60FB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:40.197{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECDE76E9B269751A058DFFE60837DDB,SHA256=A5CB7C7A5DEF5290E4A29604E81A2C234B12A8369B80711E43FD38187640653D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:41.642{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EE5D9B77754A511252E3348D698E0E,SHA256=DA7EE918427CE930AE472498CFCEEDA379F2034DC99BC41882AF6B23881953F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:41.244{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD866026E833BFFD3AE70DCA36E6DBAB,SHA256=46A19B48980A1E623D63892DAB75C9CF943223F284845AB4DAC146507FA489B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:42.704{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C25A98A542630A5697199320987A88,SHA256=E3D72ADB077AC94C1D9D9DEB4489AAC0C0EC3B614A1620722625A3245AC00066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:42.244{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1B75C9A764709BBA97020F8014924D,SHA256=E6FF80CBA9BF7752699375BFE35A8B443538E0C770AD2C7DBF85D5F55C8C9349,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:41.669{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:43.704{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A54BE199B93D43B10B18FEA52DC7527,SHA256=32F85CF246F136C09134A410A9EFEF0D8F4CD3EC2584F92ACFA070AAAB07DCE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:41.065{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:43.447{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1EA530F506D0A0DCF1BD37BBF63D5136,SHA256=56046360D62A3D2B49658920340A2C3DAD206C12E8BD1FFD46E3ACF1262C4EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:43.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9E315F5FDC2414B7554A1E0A1B3F72,SHA256=DE4A9BD9044DAE76AC827E068703A2FBC230EA6173AA84653B6ABD5DB621DAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:44.720{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DC0178FE188688D34F16C6054A01B,SHA256=5BC6708D40B5E97D5CEF05F72F2C6F2920DCC19CCC91451B3217A8DF8E70BA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:44.353{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91891107859CFD70125D8D63D8E45AE,SHA256=96B89DC123199AE53B920CFCF0693D67B81B78E642A0C1AC11E2ED7C17380529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:45.720{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794108622710B8325D0271ADEA62E377,SHA256=2B03D8A40CFA1EAC69761EC6573F615B5206A04406CB0DD757A4601A147E5CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:45.353{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB36088F62545E38B807760DBF1F8582,SHA256=E5203BB678E8A5C9F8FE59A4572DF2A8B46668211572ED977B26273313415F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:45.220{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DA318CED92B1AF82C12DF2A64578B438,SHA256=A3BE8DB585D151CA016869D11F89BCC36921635D0F9E0E5DA6D6BD498EB35EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:46.782{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C4248B3B7472E60D4D10449B1F56A9,SHA256=A9FD349E5458399D434641811DEF4BEAB4A3F2E391FC8F28DF1529E0AA9888AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:46.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EE2FF202857464B16E94572634C6E3,SHA256=259F4ED203CE4A61DC57D884506242D7348AD9E3DC15B1C7C386C2B7103E6E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:47.782{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593D6910513D1BB36E5672A559B1EADA,SHA256=59BF403900EB0E2EFC1574D0559D3D673D96CC22E3A9BF450807B610ADB98DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:47.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD5E631C95C1963176D7BB5C40B0CE9,SHA256=59E14EBAA430C321F681DF31E8F240DBAC006767F8A0255364C9A98F577EBA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:48.798{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60857ACF1BFE533145E955D41DDC383,SHA256=DF47AF2E7EB67343225826B3D7E21CF4D9D9752DB9D76450B16448B6AD6BF460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:48.447{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A3AFE468576C4C9352E85DDA8BB270,SHA256=37BFBCD901967D21F78CEDC574C5B06C51046E6097251182A995ADDEB5748434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:49.845{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C988E14A68AEE95C7DA07FC13805CA54,SHA256=01B15B6E81DB76B0618AD5EC5A919E5AE9D4F0624D042B2169359CE87ED3F770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:49.447{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE026622AA5BEC048065A35190B97B8,SHA256=5A81C94AD228CBF045BBAB00F79DDFD34B0CFF59AB436C3858272AA4F08D5021,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:47.696{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:49.704{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:46.206{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:50.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E44F824DDA3FCD6EA80328BE66854EE,SHA256=424537488F39A7253935DC31E9DE1BE850FE0C720B8C459840CF5BD2F5B8F838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:50.494{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07EC1260CF1E3EB79B12B74AB68B79,SHA256=86772C15C7116173703BE9C8F2A5D3D02B3B3288FA5BA8FB76744B4E205A926E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:49.258{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000273978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:51.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA32D6C58C929BC732643069A9115F3,SHA256=00F7388273FAAC844D60858D91159653DAF0BC547845255572BB619F5344A963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:51.509{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A235DA512DA7C74721B999F8C9B0C90,SHA256=CD7C12ADB03DA53B93EFFF3752121C8BFC27642E60AEDCBC85E10A33AF647E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:52.907{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2195238CDA027F34A867AA1F920CC7,SHA256=A74A99DF01C9A115C234B8A9E76BF145E7CA537656B3E3F504203D600B4637B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:52.559{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-122MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:52.510{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648657BDE237B9C2699B118EA1DB91F3,SHA256=73E5083CE8A06CBEE4619384D2B7EEB71A2E332FEE468A4B82C38892B8181F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:53.923{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B681C98EE92D463E15A18DDF575277,SHA256=60A908AC7019FAB134DBBB9F6922E60B1D9748EF666EFBFCA657B30F1D524013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:53.574{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:53.557{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD419E15CCE73888F36CE57808EB53A,SHA256=7C29B42155FAADEF07424E05F430829F3AC624C02A9A1C4FC04DF50402C75391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.792{D371C250-6CAA-6127-0504-00000000F301}28243124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CAA-6127-0504-00000000F301}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6CAA-6127-0504-00000000F301}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.636{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CAA-6127-0504-00000000F301}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.637{D371C250-6CAA-6127-0504-00000000F301}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:54.589{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC8401F02510BFCE77D5F83E7DF7B1C,SHA256=0842263EB3714E3180C2F82FA381BFF931CE5E96ECC09FB3BD1A8DB0BBDAF86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:52.727{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000232986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:51.222{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000233030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CAB-6127-0704-00000000F301}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4787888B9F338714D84E1E79CFAEC60A,SHA256=3744503E08C7AE4789467B4482BA83DC60190AE66AC9EBC17C980B26A1CEB189,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6CAB-6127-0704-00000000F301}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CAB-6127-0704-00000000F301}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.827{D371C250-6CAB-6127-0704-00000000F301}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E966B2C6A10552811F5C9693A89C38B,SHA256=5F4BD03C90A0C149ECACB71BEA998FEA901B0EED92F5BF57C135EFBD94D37D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44ACBEE81D99E02B8642D02A32FE43EC,SHA256=B1B2CB08BA3C4A91AF3187B2E8A87A0A03744A9FA5FD2DB871FD2AB3B7DB1430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:55.001{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB036E0417B904E62B9C7CE02455BA6,SHA256=7ADDB7E13DA665B0BAF371BA41596D7FD948EBFAFD93EA3D61CD077F24F3A68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CAB-6127-0604-00000000F301}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6CAB-6127-0604-00000000F301}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.308{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CAB-6127-0604-00000000F301}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.309{D371C250-6CAB-6127-0604-00000000F301}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:56.095{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB35DB070373E5379DCD223B3D3B620A,SHA256=7D00904BEFDADCE078041A07DBA62463148987B44185885077E991B9DF231503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:56.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4787888B9F338714D84E1E79CFAEC60A,SHA256=3744503E08C7AE4789467B4482BA83DC60190AE66AC9EBC17C980B26A1CEB189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:56.573{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:57.095{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1CE05540FBF3AFF2283D117D7D2F2C,SHA256=DBBB00BF222FC68F208A3F86B5964A0B9953E59AFBFE05F573FCDD53F01EC48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:57.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F025C1A8E631D5EBEE2FA74ED5C61C,SHA256=679C9ED41F6D112394BD66952F4B741B93ABF9D15EF4671CFE50F96D0A004EC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.573{D371C250-6CAE-6127-0804-00000000F301}24963832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CAE-6127-0804-00000000F301}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6CAE-6127-0804-00000000F301}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CAE-6127-0804-00000000F301}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.183{D371C250-6CAE-6127-0804-00000000F301}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000233035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:55.535{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000233034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:58.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2753E43940D3411546DC18F049E019,SHA256=348F07B25EB0B42FA164A05996D756E457225BCBA7503F43C62462E6A4FE0488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:58.110{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF551B2F1CD02578C7D2425830A19F7B,SHA256=E806295DCEDAC0889056C8E0EC4DE3B0DAF4A64427014B7E6246EC34791C196C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.464{D371C250-6CAF-6127-0904-00000000F301}5202076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CAF-6127-0904-00000000F301}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6CAF-6127-0904-00000000F301}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.339{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CAF-6127-0904-00000000F301}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.341{D371C250-6CAF-6127-0904-00000000F301}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.214{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EDC6286F084286ECAE784B41D946E83,SHA256=DCD23DDFF3E8EFA3C7AE6711FF72FB6389A184F12FFB932516695C72D2D82635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:59.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1A5E654D9B51E0FE0EE48D71E81499,SHA256=4072923F7CDDAAEAA769F5B1E4733B8C0D24DA0345CB45FCA33CA8383203BC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:59.126{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB688C1C444A16C34BB7B27DEB0A559,SHA256=3CD1970AB36D79BE69FAF9223F070A920DAFDE803F9B33E3CEB5EEF38ED9F4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:00.142{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C1FC521771261F41AC632C7CC659B5,SHA256=31EEF755B3175F7022F7E87901CB6453B6CE66E2647F227CB032454511976254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.573{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AA65D412474C58ED48C157407AFC6D,SHA256=8A28BA0CD78A4D36F0A757CB62D95CC8D4A0A1577664FB577CEDABB3963AB7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.480{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72E24119C7E3B4211D3C3245460CC97,SHA256=ACF9712B4D2927FF4E9E614F8496789632062EA3652C7764C6BBBE780E820BDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.183{D371C250-6CB0-6127-0A04-00000000F301}10162836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000233079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:27:57.051{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000233078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CB0-6127-0A04-00000000F301}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6CB0-6127-0A04-00000000F301}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.011{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CB0-6127-0A04-00000000F301}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:00.012{D371C250-6CB0-6127-0A04-00000000F301}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:27:57.742{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:01.173{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F371209E5CE1B35BB4B8ABABC002DDF,SHA256=AFD6E7E1F2FEB820BAC2409967C96FE10A2EEE848DD48FFCCA8C55100A871EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:01.120{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E06E63DD1E3F9922EE1002F78FE9A2,SHA256=B2C6520D6E3A763096C675762E2C6DC2CC50F4B6E9538EB8BFC2D98C7F7F787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:02.189{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEAE6BC472E628D4C01524E41A9971C,SHA256=9D4433A5BB709F87D2CE417C49A347F3358077C4CAFF065D19F450609DE0233E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.136{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D324CE979EB80E623841D523F067187,SHA256=294061A1AF89325141542919742F5537C0059D5C343310F2720C1D37C1E16A91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CB2-6127-0B04-00000000F301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6CB2-6127-0B04-00000000F301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.011{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CB2-6127-0B04-00000000F301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.012{D371C250-6CB2-6127-0B04-00000000F301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:03.152{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5BA9BF4044773CA43166F2A650F98A,SHA256=58801EAD13282BE76C1D33CC1D77DAD140EF31680360D25FDC760498CF186491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:03.220{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E46AE023F47186BD9886678B21CEBD,SHA256=781DCB0DF83A63C816EDCE148499F4A6D591B26B137262B5CC4FCB03F8150C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:03.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F284020DBD22F40CE3772D205BE05B4A,SHA256=577100B5511F05F06596C122B6AE4B6D77C41C5253B518C18FE2FFB7E3BC8C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:04.167{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E3E02876378DCC0624ED0EC4C73E6B,SHA256=CEB0C5B82BC5BA19652E208B547DD95611356541FC2554559F99D61F3957111F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:04.282{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F038CF1072748B18B222E45D00179246,SHA256=4BEE4E94B603229F027AC2DCED4E28366CC0CE8E8B1EF164F194689E9E59FE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:05.198{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049059436CE074898AD3AA57A1EE4719,SHA256=00C0D912A1C85B4604766C81480E4D4674407E8F42A425F494AD1900D1139F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:05.282{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1E9DD1AFDCE623E1B746FB3AF3F3EF,SHA256=EE8BE3675C131EB113FB1AC16D92CB03165CAAB0D7FC07E354999D3ECE273846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:02.758{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000233103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:02.176{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:06.198{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E6CB83F3AEBAB690B6C737096B5972,SHA256=DF1BAB26169448F342537612EA334577D1DA1052F55ED3EDD417FEAA3092FAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:06.298{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A2CAF89B3022C4F3DA812836C2E601,SHA256=D058146DBF6E40C0FE98470071625161E9E8A8F2A63834138EB7575E23CC6CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:07.360{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4794C86EB851820081D7DE1A497325,SHA256=0942710ED36C2E9735BFD600D55EB5AA64B9E33C577E22078631C8C047270693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:07.245{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CE302AA5437637A2B850070EF68730,SHA256=D8270EC861EE545AE6DB93236677FDB7747477B2C2C5958C58678DB8511760BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:08.292{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D093A2550747AF7951D2B766F55D1A1,SHA256=529BA9001A6249031C97ED9FBE6773F81C5F8A32427CB869CAFA2D2974438C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:08.376{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD975C7E7F44ABCE7893A85EB71CAE9,SHA256=FE5103BDD5F52B5F9B4D38AC094FE8A54473176BC2457BA78E27720EB7E108B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:09.323{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F28C6BC6AC213C9AE4D6F83A54C43AB,SHA256=51E052CED476EA77EC0BE862BE7966D1FEB65972A0651A3FC93A0A8DF34296C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:09.708{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-122MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:09.377{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58CC9CEF92A9A302BC50BFFEE6B7C85,SHA256=B42EACA683F943EF31062D7435BEF6A410AD670D27340479AE5B11CC23E5C442,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:08.051{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:10.323{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D59E00415C2B9A7FE21347055A6CA50,SHA256=FB59795FCB69D01BA52D90211212E7077592E22CCCDAC5A5FCC0DC8F841EF469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.722{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.690{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:10.424{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2709B26710FCDCD4D3433E9A18DB2014,SHA256=046C8BF7DA9F1B769424B5B6CCFDDD1A5B355CCDC4B02F25EAA67650EAF1DCD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:07.789{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CBB-6127-4704-00000000F201}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CBB-6127-4704-00000000F201}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.801{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CBB-6127-4704-00000000F201}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.802{80A11F3A-6CBB-6127-4704-00000000F201}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:11.426{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996F80EB04E3F913E1853F414A86012D,SHA256=BD5B1363C801392A03AE1F91C3FAEEB12AEFEE409EF2F3FFE2E01560DA3483FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:11.323{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A36B48133DD753E8F47C71416F3872,SHA256=0230C694EC5011F38B6F95183943F624567A6088F2AB756620168C3D2C2BFF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:12.323{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DC9B199F348F99E1BBF7BA2FF86088,SHA256=5A5219285838DD98844F6B7417BA95A03E8B16515C12AA81E37A791690CECD04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CBC-6127-4804-00000000F201}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CBC-6127-4804-00000000F201}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.926{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CBC-6127-4804-00000000F201}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.927{80A11F3A-6CBC-6127-4804-00000000F201}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.817{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C648B3D37F9778883E576A69FC5BD5C7,SHA256=17489C4CC1C972E4A166B574F6166C3F444135713ACE3BBA350C3F907FC702C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.817{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A4D7041A38C80B257689D249F2D5AD,SHA256=69602675E40A32AD5486BCDFFD7D15256893F56D0FA42A7183A6179125B3A98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:12.442{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FF9C3B6715D6EC346BBCDEEEAEE9F4,SHA256=C18ACD9C87B0DC70AC27EEFF53818A26AB3C257DE05D613B7D85141E68397843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:13.325{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1166AEF7773B90774BA551FD81EBB9,SHA256=04942B14569A01EB0E4002B871078DE87F8C7FFEC791830B99C4A45698E99FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.926{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C648B3D37F9778883E576A69FC5BD5C7,SHA256=17489C4CC1C972E4A166B574F6166C3F444135713ACE3BBA350C3F907FC702C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CBD-6127-4904-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6CBD-6127-4904-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.535{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CBD-6127-4904-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.537{80A11F3A-6CBD-6127-4904-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.457{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D14701C74AE364B62B064A593174FEA,SHA256=5B24BD0563421B0E63D0A5EC7F70660E3D563FAF745489829A20DEA20B70B61F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.223{80A11F3A-6CBC-6127-4804-00000000F201}13482216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:14.339{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A4E7CE0C45A61FAE3803D11DC9F477,SHA256=57E850F8985F7EA686FEAF68EAAD845398F956E8D781E0427A01140A0401EB80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.848{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.848{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.848{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.488{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE25D2F4D50CF242EE21448C6C41568,SHA256=146E4A347F1A4013CD44E8C9D14E1F10F9A5D035B6BA35DC29880D41EDABAC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:15.582{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F0F587E64FBEF276C11A68D5A06C693,SHA256=889A7C3CEBE483BF34AB43E9D37ABAE0D9F1502E0F2D04581D8BC16752D34D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:15.535{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA9712CC1DFD251FA2EE652D44632B1,SHA256=EEAF63392F0125BF744E40D801B27F06701274F6E1BB12630288806CB07324E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:15.339{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF981516B101608EA4021F31AD7E3FFE,SHA256=5F6A0FF4C2437486F5686F4C1EC0E151C93D2E641D74A2D8374066D1D3CAA6B3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000233122Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000233121Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0073eb99) 13241300x8000000000000000233120Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5c-0xb2381b3f) 13241300x8000000000000000233119Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a65-0x13fc833f) 13241300x8000000000000000233118Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6d-0x75c0eb3f) 13241300x8000000000000000233117Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000233116Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0073eb99) 13241300x8000000000000000233115Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5c-0xb2381b3f) 13241300x8000000000000000233114Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a65-0x13fc833f) 13241300x8000000000000000233113Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:28:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6d-0x75c0eb3f) 354300x8000000000000000274045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:13.792{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CC0-6127-4A04-00000000F201}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6CC0-6127-4A04-00000000F201}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.817{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CC0-6127-4A04-00000000F201}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.818{80A11F3A-6CC0-6127-4A04-00000000F201}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:16.551{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A0A22FCE8FBE19145FEA563432DEB2,SHA256=1B132A1C98BBB461312C3C1C4D1A4DB44087611A1B7904983391460E00224ECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:13.129{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:16.339{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B135AC2AD13102B25A9DB7F56D201F,SHA256=9EE8A5E26BA4149FB918F0466CAC38BEF4199C5BA8BAFC4AA563DC55F851FED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.122{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64046-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000274048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:14.122{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64046-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000274078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.988{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B5138E020D55AFE9E0038CBA2D8E982,SHA256=032C330F81E88CEEFD0680C158B7BB669C12D1AA6FCFDB767139F07B3EB15B25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CC1-6127-4C04-00000000F201}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CC1-6127-4C04-00000000F201}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CC1-6127-4C04-00000000F201}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.942{80A11F3A-6CC1-6127-4C04-00000000F201}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.707{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246AEB8CDE1B7D2789260F7589AEED4E,SHA256=4A18976F2D911277D729426351DEC11329E28294C0CEB7675E3E9B7207FD38DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:17.386{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE829A2DB85A343E441793B8024FE17F,SHA256=5A1E48A0EFD3618EE393A73DA296CE6539F2FE5FA9C19045DA783F0FAFC3C87D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.676{80A11F3A-6CC1-6127-4B04-00000000F201}47082468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CC1-6127-4B04-00000000F201}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6CC1-6127-4B04-00000000F201}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CC1-6127-4B04-00000000F201}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.317{80A11F3A-6CC1-6127-4B04-00000000F201}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:17.035{80A11F3A-6CC0-6127-4A04-00000000F201}19364620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:18.707{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2879505E8E0ACAEACD339BBB4355E0,SHA256=89571AC23F49AE19E6200FF1079C715DDDCBD11A017AE9BA45B7D4EC29016E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:18.386{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70571F35ABE7783F330ABD5DCB5A1034,SHA256=FE1F52065CC275FFFFEEE0B4F2DCC163F6EF36BF6DD50247C620DB96D4858D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:18.129{80A11F3A-6CC1-6127-4C04-00000000F201}157296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.723{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6E1639A35DF52F730346C291F5AB42,SHA256=A038F9011155C266D14DAA359E8E107922E2084835C5727637A5541D21350D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:19.386{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E618AA788297D96A82B8B987DBDBBA9A,SHA256=9DA3B359663B897FE1C51C66F3A739296758AE00B4CE091BDFD419D0622472B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CC3-6127-4D04-00000000F201}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6CC3-6127-4D04-00000000F201}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.504{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CC3-6127-4D04-00000000F201}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.505{80A11F3A-6CC3-6127-4D04-00000000F201}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.816{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C84EB0E45DE921242A816E227811C1,SHA256=C3150ADFE8C2FBAFA7842B7C91BDBB5CD2057F2C4BC560F85CA422E188C65EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:20.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0B78D2539A7E469A4E5FFB61B3BC51,SHA256=880801BD36BD94B87C561089C5A921AF2EA9C000FDF99C8D5A6E8CEFE63232A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.520{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32EC388FB66B6EC27419998B94F51813,SHA256=5A472E90E04FBC84EE9E353FC38B37D48BB4B8E42032FDC832335B936ED67553,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.473{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.473{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.473{80A11F3A-4F83-6127-8F00-00000000F201}45922700C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.473{80A11F3A-4F83-6127-8F00-00000000F201}45922700C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000274115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000274114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000274112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F83-6127-8F00-00000000F201}45921604C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.441{80A11F3A-4F83-6127-8F00-00000000F201}45921604C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.426{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.426{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.426{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.426{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.410{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0D00-00000000F201}9005060C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F83-6127-8F00-00000000F201}45921092C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:20.395{80A11F3A-4F83-6127-8F00-00000000F201}45921092C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.832{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4212BD07B9DFA942440DDA7735CC59DD,SHA256=DB1EACF6DA16230B3F64B3C00399C04D396B317EA809CA3A979B7621D0A5E42E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:18.176{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:21.495{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C417D89255B65B1EBE3033D6FDF0F519,SHA256=2FD33AC6DAFE6526C102A3CAB3EA90CBB5D81CD65E13696A76C063548281D838,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:19.714{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.520{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=CB791076FB9229981FF2A2FC1A0230C2,SHA256=382226A0960A88E5BE1EECA5B7CE450F0E9F95AD0A00EB7E9227CEDDC7CDBDDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45921048C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45921048C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45925064C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F83-6127-8F00-00000000F201}45925064C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.504{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:21.488{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:22.848{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8592CECD0C9FA58B9C3D3EA6E224936E,SHA256=E290C30DD8CFE6FE44000BDAFFD72F0F073F821D6AAB13FBB8427B04E25E2A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:22.495{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17526322CAEA5B46B8225612119AA029,SHA256=949921E3F7B69A1216FA73C51A5F5CE257D75C01A2495100FCED4290E4045FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:23.863{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8633885247BC940A99714A3B1043CE2D,SHA256=5ADF67FA37AE8E1FA2EEA72385AE4F0B4D0CADBF242D41D52F46B746C07C9077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:23.526{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4584057190AC3A7C6FB65969F8A6FB,SHA256=46C132E631B3ECD53DAC3A3737E1B2DB701711D830C95AA1842C337DFBA46193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:24.879{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2E4D09E4C07DB955E9C6098C002EBF,SHA256=AF597E7A5218B8D65FFA9A5513D0491AD69E4F33E2482762614C83132A37C674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:24.526{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02102DA32A16F1F5857B99C152F9B090,SHA256=626E8B2068D32227F8840A1EB040F79393A9F5B9370D8A817DE398997D8A514D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:24.316{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=7068F2B9457C981A518DB03163C3D299,SHA256=2903DEC883ED551F2A278DF470811E921C189A4B71D932B4FE03430F291E0C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.941{80A11F3A-4F17-6127-0C00-00000000F201}8404948C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.941{80A11F3A-4F17-6127-0C00-00000000F201}8404948C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.941{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.941{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000274148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.910{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F536BD0E4A20AF8E40800ED3B42F576,SHA256=9B0750AA4F9B21C0E980AA618AFF6F9FA2A118E3DD563C095F6BBFE2046910B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:23.208{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:25.526{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432215365D3ACD297AFD1AA37A8151FA,SHA256=FC704E45B87529B265D5613A58E563F1806EE03BF9750C996AD912316C31C91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.176{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=2FC3FCC264DFE2C6A747F1A8D6FEB04E,SHA256=33C49C6687B19F811BA4FED0187B89DDA9E680A9DC3F034046920A3426E6C427,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.176{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.ps12021-08-26 10:17:55.623 23542300x8000000000000000274145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:25.176{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.ps1MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.926{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D7845B1C7AA58DD192EA1670D628ED,SHA256=19DFEE8377ACA1904AFA2CFA7E6E58E4AFE72B35988F8C9B317229B57D9278AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:26.527{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D2F6D1E67372ADFEBE70ECA2BC1C94,SHA256=C512F102E47AAF65219C9506D0C97D793793945789328701C0770A932BCBE94A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.863{80A11F3A-4F82-6127-8800-00000000F201}41204728C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.816{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.816{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.816{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000274155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.457{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_102821MD5=8458CC0915FC3472E9141CDEB930A853,SHA256=AEB372DB132636B209ED268F5BA36D4DFCF4EDC266AE79EAD9F362ACB7092107,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.441{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000274153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:26.441{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=EF5397F56992380A81A5FE13BDE538DB,SHA256=4662BB4E1D3188D00E4A7D6C17A045C338280B40112B3BB19174F76F15A9C4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:27.926{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EEDEC901FFE33E5614A3C6DC15FD00,SHA256=40C94B0B86BD13DB819E31E10AECA53BE52CBED323820930807A2B936781C5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:27.573{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A570574A96EF3D2EA49A7FCED67AFB8,SHA256=CF01E0EB8D7F7D32A2453697A9833A27BC34EE1A56AB5EF9DBA087CD20D3DF07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:24.730{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:28.941{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA636E222CC0D6B582A6F8A4E0655D8C,SHA256=CE20110B66DFAC3D7A149290685BDFB11F461D4FF15D3209D38B2BD1CF4D1613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:28.589{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD66B92CF07E41757C90526A0E9059F7,SHA256=8D95F595E96A4535AD328FE7F6310C5C6393C70EA0CF0515C8740E5559C992DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:29.973{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD194DAEC2E1B959BDA53E7E84578DB0,SHA256=D2B0C58FD635329E86D7B2D2AD696B7E9D215B47759BCBE35ECADF85F74A358F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:29.589{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE54F5E8DA64760ACFB72C3EC8133DE,SHA256=66AFB19BAF8ABB096EF7EEF1B1DB18C64EAAD8BAEC72B9AFCFBDFA60F848A2AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:28.239{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:30.589{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFB8AEB2C68867FBD34063B10D28790,SHA256=6C5A3D53DF870EA5624ECD5BD6A74F6C314FA0F4E57311AA62D3CB3177DDC961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:31.605{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612B5CA450C2191680DAD5FDE2F7094C,SHA256=99198D8FFF4FF8E53D8DCC16D8871F2D365DC52A3233D043FCE6D3DB7D449627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:29.792{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.645{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.645{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.645{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.629{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.629{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45921964C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.598{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.582{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.582{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.582{80A11F3A-6CCF-6127-4F04-00000000F201}48603652C:\Windows\system32\conhost.exe{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.582{80A11F3A-4F17-6127-1300-00000000F201}9883752C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.566{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.551{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000274171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.554{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads\PowerSploit-master\Recon"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000274170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:31.004{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDD5FFF9C9CEDDBD8E8B7232699E203,SHA256=81EB4D75CE48991CE2816703EF6ABCFD25DA6921CF0075A57145BB23B1F74F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:32.667{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7B3177D49F9B99A9D3478A7C37DC0B,SHA256=08C0AC3029FB7A9D3C03A47D512AB05D16426A487470CA1ADFFDD0FDA1FE2D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:32.566{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63CEBA980CA694D23EC6548CEDBCF48E,SHA256=C9CCF0DEEA222B16EBE0CF8DDDD847470A7B3A89D92B230F79FDB7962D7A7E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:32.566{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0197AE9F09A2DF3E0033BA232519126C,SHA256=B4B49E17916789755973CE50C05F086EA95CB46B8B7E0DD3C7056212FE47D55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:32.020{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A227FE662B0D14C249DAE617337D9D9F,SHA256=6A207A82DE6B76B4F3FD4D50CA27823CAE746813701F3554248FC804339C9FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:33.683{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD74251B71E3BA05FB783D5155CF0F0E,SHA256=EA7E8FE00034D524B00AC8603C68840D07A47118F6140786C1FCCCA3A76BE3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:33.051{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CBE7A93571410464F27B30F68736FA,SHA256=8B1B8D8800477521A4AB14CFD146FF6D0724FAC361C012D76BD657F1B6749F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:34.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E19776E10C106298949AE6885A520D,SHA256=9741B284FACDDBC451E34F22AC44D05EA60C1C9219638771B08A614B4DDD253D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:34.066{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056964F2B30F39825F8CA019AA1A1D6D,SHA256=E898C0F750CAD045BECA6B3A1759719C2EC58B3002D198E1193B36F03071C0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:35.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B54A32C45F537B2AB20DEF5EB6A737E,SHA256=0574A442EB8640F8992BB65C21D61FFC3B1F39F13458B3193EA994CC9A649706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:35.066{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE69F64EA072C203B3CF25B062975CD,SHA256=DFD26F48C9ABC4F5264C1A1C40EC3DA1BA3C05DF6E02EF7D61C2D6EA7047FF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:36.745{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1D766B6A70CB81EC17BEA48407F48C,SHA256=C85A80888B701185ADBD809C1F316F9825F711066B9DD3B0377FD36A9823E72F,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000274216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:28:36.957{80A11F3A-6CD4-6127-5004-00000000F201}5056\PSHost.132744473167717213.5056.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.941{80A11F3A-6CD4-6127-5004-00000000F201}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cfc451jp.gh4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.926{80A11F3A-6CD4-6127-5004-00000000F201}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ufbxcx3d.la5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.832{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ufbxcx3d.la5.ps12021-08-26 10:28:36.832 10341000x8000000000000000274212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.816{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-6CCF-6127-4F04-00000000F201}48603652C:\Windows\system32\conhost.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.770{80A11F3A-6CCF-6127-4E04-00000000F201}23244324C:\Windows\system32\cmd.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.771{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Users\Administrator\Downloads\PowerSploit-master\Recon\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads\PowerSploit-master\Recon" 23542300x8000000000000000274203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:36.082{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A56C0CBEF54ACAE6B544335D8952B94,SHA256=2188647364339A0C6B1067390A7D1530C93F063E715E19ABC3AB21A13BC639D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:34.005{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:37.745{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824E9A0FF9B3E58E85A21977302E1342,SHA256=E981E4F25213F35D2E89ED1920BA38F3F5C480CA97A74B5507A00E2335A7838A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.816{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A65F04C9C2F221FC580FF4BED4CC634E,SHA256=86E0EC0D24C98461E41CF57F2A1F6AE0288C1E22E9F85ADE1C1D2A7B04FAFE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.801{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B417138FDED1A7BBC2E12AF9EF081B,SHA256=4B042889B15206406CCA9B2CABB600380E3FA561EA54399D98F7D70D7113DCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.801{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63CEBA980CA694D23EC6548CEDBCF48E,SHA256=C9CCF0DEEA222B16EBE0CF8DDDD847470A7B3A89D92B230F79FDB7962D7A7E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:35.808{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.113{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846D7FC4CFD24F82A08181F80C1025BE,SHA256=FC70773B2AB85E7A95282C44485ACAA793790DB08196A9A828B6C3FDF866AA27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.035{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.035{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.020{80A11F3A-4F15-6127-0B00-00000000F201}6321960C:\Windows\system32\lsass.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:37.020{80A11F3A-4F15-6127-0B00-00000000F201}6321960C:\Windows\system32\lsass.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:38.776{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFA074F0990ED9D8138198097ECC33B,SHA256=6031FA805E980E4105C0532DBB3CF782BBFCB5B26C563869659C06541DA7C6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:38.160{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B67412CE278158E74E4488FB4DA561,SHA256=236E54AABBBEC946862F25AEC28D9C4EC9DB54023CDA566BC0792F4774F7E549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:39.776{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2D5E4A6E40CD42B6F46218487C8E03,SHA256=EB514880D1BC1BF8EA1EA82358F882DD554C1A216C17DDFBE38217AFFA31AF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:39.160{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5E946F19BCF596C622C03B4B5EC18F,SHA256=4514AB5902289956256C05342275DD3E5B306359676D025F71DC35C9E5B13329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:40.808{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E407712669E11637DB2731E2513E8B,SHA256=C9855595AE2740F763945820F146351024B8EDC3845C314F390188E4847E5464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:40.176{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B177EFB7188281155E8773DA91748,SHA256=26FDA893502A4D18F11461B93C292922A04627F0133FBC1B6E2F768E63D40E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:41.855{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170D07B0FEB7B73AFC9DD26B4B93F073,SHA256=286DFA9586C796BCA6EA384C8A4F126419B4833EBC387F147E33D5E3E6677E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:41.191{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57BD98878ED63E4AC2478F86B26B3C5,SHA256=5D594C24BD98173E4E84536CC44675781C06CFF19840BB42F13E7ACC190CF233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:42.917{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B055FA8AF55CDC42FFA3785CDE6799F6,SHA256=DB1E76F1BE9C499910764F2ED3FD61DFC002AAAD5F5B2AFD8A71C3851C2B1660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:42.207{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E618B5F4CB2320F03A62C9BC6521403,SHA256=3C9E05F6858F006B49498C4C75E7D57EE283018C18E1401F608A5FFE269FA012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:42.191{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65FC70F0A3CF07AB62F590AB4DF34D27,SHA256=587326AD8074F44E9C975246DDF9814E507347CC695B44312261512DFCE34133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:43.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DD11058FB86F04B3E465D51FD15082,SHA256=41E14C0E51FD5CB8108807E3465381062E43F013DDD551E942FF27AFE06CDA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:43.223{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C19FA6FEED560D8CF56CE03C0DF464C,SHA256=68369911F2DB97ECC5AEFC707A6D58BD0AD0A6E191C639364E8DEE4FB13B13B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:43.448{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=18534F3A9087CFE172168F4252B57C47,SHA256=00339AA49B8E7796A2274270B6FEF98B4A7628C0AC2D2485BE8C2FC4DC1F2DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:40.021{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:44.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C95029465173AE46A8253EE66D0BBD,SHA256=C6D1F442A3C4F0C203454166636EA9628D672BBB5250F55840F9F6F7A9145C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:44.238{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED250BCC8CD223BD54AA4E7DE7754A2E,SHA256=7EE5988FB21343CA00DE3B4B85E4FAC4CFE6657237ABF3BFF3E2BFCB5C241F09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:41.651{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:45.980{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434226F394871156265BEF7F90D46A86,SHA256=469B2849164D8CE417D2A18354DC3139449DE7B5DD3BAC69E2DD0B0EE08DA8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:45.285{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F275964B8937D134D3ED2745C17B49C6,SHA256=ED855F080B23639CFAECA943DAF09447A766C9FFDAE708805DA9C44B9569BDD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:45.223{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=52EEB9C3001C5773B5DD05C2E74A42AC,SHA256=F161A1E8EB4425E371B660C492B1BB260A9532C9B63B4C4246C5E04E2F43B27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:46.301{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE3EF4F3B12CFE9B53D6852CDBF0122,SHA256=B663412BC195388F36DC17D4136EE7A1223D2E4BA0A4E81D55931F371C56824B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:47.332{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB85AEBB3CAE4CC895ED40B10D97F070,SHA256=0220D1A5EB5FE40BA73E7FDBA1055A819109CCF783DE3572B6710B13F4556615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:47.011{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA01C6101B813ECE02361A4F687A4ECF,SHA256=89A9012F5FEE4E9C1B8D5C40A3960134BB0176F3407643ED34A5BF7A81B9517C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:48.629{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3A2B2CF952FBF632A0E9A04F8EDE5506,SHA256=FA2573223B11E032B43CE258F2AFB20F0554B4641324234B38C5F84063532B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:48.613{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C461047BD4AD8A2FECFED81CE221C42A,SHA256=7DF85B2F3CC866CAED8A327FD4EB733DE19084A525107C809749AAA735BE64B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:48.348{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A42DC4BF54F5EA92ED94F5B30D5D6,SHA256=CC5A6E27DBB64DEA393EE19020D94A1BC1EE0313747598A5DC020691704E7CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:45.130{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:48.011{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C682FA13604B67AD53460CA71D6A84,SHA256=BB171B955F62EFC3E7FB3AD855D5A603FF05848ED7EA61EB53A236EF8EFFDEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.723{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.629{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.457{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=194488D365A74E8CC69CDCCE2194153C,SHA256=0763F7CD581D8AC56FEBD9589F265ADC30D46FEFE550C682A705500468DA2859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.379{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EACAE2B199FF59E76F6F1451B04662F,SHA256=09002A4FB65473A3E5EC5807FF90A15EDB6A42AAEB859337AC9710F30FD6DC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:49.026{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50356AD470845DF5B39F6288439A891D,SHA256=8E702A23300082507AE99E2DDC8693B64260BC733825CB4E88375E53BF183C3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:46.683{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:50.410{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ACD19B87651FE9A88D7F7A8304B6C9,SHA256=047418D1427221E9F16019195538F1015CCAE43854B3A82F735C5F1EAC275423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:50.026{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307F50F1F88BD21B508E4219A4DC70CA,SHA256=21B909DD545DCD0BF58549BAA95AF42F0133C8D34A4E74C549066B1A7834EE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:51.426{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5706DFA701B84FEEE5BAA3435612C66B,SHA256=69F98DEAAF95C9594A9B3EA2CE2FD4AA16A18E443FAB053B059167910B2E01B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:51.026{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACDB6BE94A7D560A52B832D22C1C1BD,SHA256=A0AC494CE77F541818D89F9B7E2E2B1706C833FF356463C7651C48D5C509A5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:49.277{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000274263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.441{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E9D4604EDA94E4CC23FFD0E8958F70,SHA256=DD782529A023DBDA3DF1BE8EF3A8670BC2C37A69A1A6CA866B3524958EB68B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:52.026{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57D16A0F0348A317FB90FCED204ED2C,SHA256=16687ADCD12C2487171646A51A85328F6624493B4B6C668773C7B24B841E9201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.285{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.285{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.285{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.269{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.269{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.269{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.269{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.848{80A11F3A-4F15-6127-0B00-00000000F201}6321960C:\Windows\system32\lsass.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.848{80A11F3A-4F15-6127-0B00-00000000F201}6321960C:\Windows\system32\lsass.exe{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.598{80A11F3A-6CD4-6127-5004-00000000F201}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.535{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000274264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.441{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567461E4BC86C6C12AF209377B55BB17,SHA256=7DAD0B557B432DCCE43B7E4E95D554F7E486995B0C4A03E77DB40152FF770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:53.026{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566D4EF3B5A64EB6036132095CD6BDF1,SHA256=A49F93D6C6386ACB3D305EBB105F548E3AFD6BD358A2577B50861376C53D7DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:54.957{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E4DFB9057B17BF4E9E512DF7EA9A49E,SHA256=9A45B415D9B86E46DABB28971F19183B06C9296CB154667D6C954E7F812A3F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:54.457{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1597773E7F7E9208CCD383137A01C0,SHA256=EB2A83D58249C4991C9557602D66677B8F8E8FD802FFC4E040427F1254B9009D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CE6-6127-0C04-00000000F301}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6CE6-6127-0C04-00000000F301}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.503{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CE6-6127-0C04-00000000F301}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.504{D371C250-6CE6-6127-0C04-00000000F301}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000233174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:51.161{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.094{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-123MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:54.029{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8945264AA53CFC94A7F1BCC222A4FD45,SHA256=6A2907FEBB5D39861D401234346B7790BDBFBF88AA48772E52DDF7CF15601AD1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000274283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.104{80A11F3A-6CD4-6127-5004-00000000F201}5056WIN-DC-391.ATTACKRANGE.LOCAL0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000274282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.101{80A11F3A-6CD4-6127-5004-00000000F201}5056_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000274281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.101{80A11F3A-6CD4-6127-5004-00000000F201}5056_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000274280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.099{80A11F3A-4F15-6127-0B00-00000000F201}632_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 22542200x8000000000000000274279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.098{80A11F3A-4F15-6127-0B00-00000000F201}632_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 23542300x8000000000000000274278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:55.457{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5741A9BE590CAC3251E286B7F309CF9C,SHA256=EC31FF64AADA19601190D01455E8AE30BB0099F9D3592DF079D4C55E42178D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.940{D371C250-6CE7-6127-0E04-00000000F301}33602492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CE7-6127-0E04-00000000F301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6CE7-6127-0E04-00000000F301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.737{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CE7-6127-0E04-00000000F301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.738{D371C250-6CE7-6127-0E04-00000000F301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.516{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCED03965C1916D0F253331CC7BF2E8F,SHA256=4A6B7664D7AF1BBFF1E01980E908F7AFE2CCAA38564999A010364CF0E086A6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.516{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854DBAF1C4B656A328BDBE143B546030,SHA256=44A544F2E165C3BD4493443A9AC6FD73DCE2CE846D3D7F1F4653C00E094D9284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CE7-6127-0D04-00000000F301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6CE7-6127-0D04-00000000F301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.126{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CE7-6127-0D04-00000000F301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.128{D371C250-6CE7-6127-0D04-00000000F301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.098{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.034{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C241020971322BDE0A53BE2AD5C51E,SHA256=ECCC9E0F8CAE2CDF711743133B76F9E5826701B549A3C64A2384C9CF399CF723,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.422{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64056-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000274276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.422{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64056-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000274275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.105{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64055-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000274274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.105{80A11F3A-6CD4-6127-5004-00000000F201}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64055-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000274273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.098{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52088- 354300x8000000000000000274272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:53.098{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52088-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domain 354300x8000000000000000274271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:52.667{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:56.504{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717A0DED0C51095C5BA355695B58614E,SHA256=4D548B62371DAD96170013056F1EBF182D7AEFF9FB25DADD74CDCCB0FEE180EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:56.955{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCED03965C1916D0F253331CC7BF2E8F,SHA256=4A6B7664D7AF1BBFF1E01980E908F7AFE2CCAA38564999A010364CF0E086A6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:56.596{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:56.096{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91D8CCE00AB5B28A5EC4B5419E8ABF,SHA256=7B7BF75C620CD0FF2E90BD253AFB9EAF6DAA2F5E332BCD72C61E79994AE6CA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:57.551{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F6359806231EFF8D4F6FBE5FE15057,SHA256=ECC8A2EFA9A8693A924CCC5FCD8F0DCA1EE1F52BE8A057ADC27DBDBEE15A9336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:57.143{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFA61E914D4095DB73C86B60C43EBD7,SHA256=51DC08A09E21CF74A0CDBBE1E7F1D559A87E5FB8AD60F0D766780E52E3D2DA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:58.582{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9D3435B896AA204E0243DA34F8420C,SHA256=77B17E756F8F36CB2E5EC258F4034209A5532D89141F4D30143B8E08CB6ABA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.393{D371C250-6CEA-6127-0F04-00000000F301}39883472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000233237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:55.559{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000233236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CEA-6127-0F04-00000000F301}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6CEA-6127-0F04-00000000F301}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CEA-6127-0F04-00000000F301}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.190{D371C250-6CEA-6127-0F04-00000000F301}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:58.143{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB18DE298993A75B2FFB6FC62ED2B86,SHA256=5B8CE2F2801492D30D972685078809F7DE18BCFDCD3CCC19E90D6179EA2D9C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:59.582{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2AA70F95916C1FDBD8DE588104436B,SHA256=6EC0B3A1FD8CAFCA59CBFD9C41F4AF4BA7E2C2085D53639F018F871AF7245F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.549{D371C250-6CEB-6127-1004-00000000F301}25002312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.377{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66421047D2ED431E493FB7D99E6DE46F,SHA256=F351F3B4475C93F8DD87142C2173AB33170CC1D2C9AD9B4E69933907DA0E187F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CEB-6127-1004-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6CEB-6127-1004-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.346{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CEB-6127-1004-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.347{D371C250-6CEB-6127-1004-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000233240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:57.090{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:28:59.143{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86C5EE4A380E7907FBD2A3D41AB9376,SHA256=65F2EF8288EAC96A20B883A920BC940C72FE9C57EEB5F26D372A64F69C92E980,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:28:57.745{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:00.597{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9423BC76EF564644532D3697075CA845,SHA256=BD81D78AA83C6DEB5ED78662CC2994FF6A976FE20E4C9E9FF5DB8E790FCEE06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.643{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D6C2C0E735B7A7921A1C459B6D4F5,SHA256=23C6268937F502DABFF40A3D568ECE0897386B8179ACB1881A807F1404F0344E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.252{D371C250-6CEC-6127-1104-00000000F301}39481648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CEC-6127-1104-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6CEC-6127-1104-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.018{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CEC-6127-1104-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:00.019{D371C250-6CEC-6127-1104-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:01.613{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1875870732B1CDE4FB2263BC45D4AE2A,SHA256=D1D412AC3767CCF38F11EE2D2BB17E834D30F69371C894963CA17113D6ED128E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:01.252{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26800A58065BDFBB2919ABEB39996B81,SHA256=B64A47D2A866587850EBF28FE4CADDE9BE5D50DF26EBCB3FBA962554143F4782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:01.033{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEFDD204CA8B9503BF229CE083E6E6E8,SHA256=E85F39BD0A0C86AC408D7EA351FFA8ABB99D1A00A751952C1625A2721A72B9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:02.629{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA8B535FC1B1B92C5ADBDB2D6568FD8,SHA256=DF6F988492273D43579E4187046617EBC31B12E8F8782784B9F79CF9CCF9E310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.299{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E23798268A313B4309762C69E6C99,SHA256=3B4146EBF2BF01F167E4FF1D59A8D8F8625FB1EB83FDCAAF6690D6FC4A276291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6CEE-6127-1204-00000000F301}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6CEE-6127-1204-00000000F301}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.018{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6CEE-6127-1204-00000000F301}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.019{D371C250-6CEE-6127-1204-00000000F301}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:03.644{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11277AA31D69914DA8CA9ECA01A14F9,SHA256=162357ECE887A7D78235F4CB4B0D551C5C374DF724D501AE0897CAF0CB9F8999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:03.346{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9AE674619CF12594903C0A948AFC3F,SHA256=AE7654F0EF7051E9CFCCE922EBA020F9CFACA5366FFC369CCF4F25B4883AEC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:03.504{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:03.504{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:03.504{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:03.018{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2F4EC6EA011F6F3FAF0C06EDBCED58,SHA256=CA1D412D823FEF0AD03A8F5166B8F1B58C3E66655ACB0CE3FDECE0DC676A5D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:04.660{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5517EC431A5C7B8A4F1081CA2A6A2D,SHA256=1A025A74CD457407E37FC84B51A4A3849101CD97670EE4682F8F26B68847EA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:04.346{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC41A1F4700EBDCD92A31D9D9A736F67,SHA256=DE826FD1C69EFFA2445D5349D8F0BC95F44F707E418788B029AA60016D590A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:05.676{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9E083B126D0F017C135105BFF5D9E0,SHA256=57A646F77FE60EE53309B33E90243D101A68375CD43DCBD22630110096536B38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:02.184{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:05.362{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5355FD8DDD416D83326293C11B122FFA,SHA256=2557E809F59A0206FACBAE0ED131A0E371ABE022C4AAEAF61BDFC59D4CFC4F61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:03.745{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:06.691{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46A24C83C376F54F762ADF05889847,SHA256=47059E0DBE43F271515F101B8CCBEAEBA22F4E2DD568056E60304B43EA697F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:06.471{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C967CE636E52EE7BD087F24E70361A26,SHA256=555B74E66DAFB656382252BD04EE0C7EDE98384D3B400DD33A7F9354D1F67008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.894{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.894{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.894{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.879{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.879{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.879{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.879{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:07.691{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978575826B037E991BD58E7202C80AA,SHA256=1EEE885236ABE75C2769400DA6382A2B7058D49FE51B83AA340520397E68FE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:07.502{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30A16AD881B38ACAC0EAAB6925AE7E3,SHA256=2293E2BB37CBF69D8DD3490D4B8BB4713BA1A59ECDC5F96EE74C8F1571C490EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:08.707{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FC85E97CBF0CFC1858E423DF24944E,SHA256=E9FF55FB1D30961E63BEB2CCB29C396ECF13B5B157C1BB28013DBFD6A8D37C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:08.518{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A22331EF3ADCE3396921946202555BB,SHA256=6D915826AB482A3D77E804A2293C0F649C9810FBD2E3D721A104488408EA012D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:09.722{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D23B99857E80796E56855BE67CFD79,SHA256=C23E5564F0E7ADB0A474701BA56A77D47BA75EF424456FCC21FFFE30591D42A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:09.533{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7840ADA3053E3390D0AE895A07B52B,SHA256=AC4DA042BBAC02210C1E62AD0CCEB08FB544C94C02EAB77FA157DD5AD1376BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:10.740{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1208E28922E76A72BCEA10FDA198BB47,SHA256=F377FA16A8AE1F095EF468871D8802290E9F1F7723B7C7AA6354C50BB15078A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:10.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34815BC2B3D497FC2C7FE710CB3C393,SHA256=DAA0118842DF5D4B18BB77CF13EB4B4C17119DEEE6AD8DC955F1544A29D8F2BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:08.153{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CF7-6127-5104-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6CF7-6127-5104-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.810{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CF7-6127-5104-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.811{80A11F3A-6CF7-6127-5104-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.747{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407ACF34A6AAED70DDCB4ADDC1701F1E,SHA256=1D75A6F05B0B4E887D4CB4BDF3FAD32881013087DA5BDBA7E090787010B89B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:09.698{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:11.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24A77C9BF936E4994C806F0254CB0D0,SHA256=AA4EDE7E1F98897B55DB125B998517C34C504FB84CBCDBDD262956BA9FE7B3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:11.243{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-123MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CF8-6127-5204-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CF8-6127-5204-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.844{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CF8-6127-5204-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.845{80A11F3A-6CF8-6127-5204-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE633B6BF2A10CE4B400660ECAFF182,SHA256=B62DC79B4CFCE3DC9F1FC335E9AB8357CFE33A675E58939DE1373508ABD880AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B417138FDED1A7BBC2E12AF9EF081B,SHA256=4B042889B15206406CCA9B2CABB600380E3FA561EA54399D98F7D70D7113DCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.766{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80490100D06899172470366BF62AFF05,SHA256=FDE558C67355A3A2550175758EC2FDC2958258E0F45EBA22EE99FDA2B4305931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:12.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C4E995B2E7FADF4F3CD74278F40A24,SHA256=D117F0853FBF58A1D6BFE00B833628332114B2550B6DA5A4A637A7218DB55982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:12.249{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE633B6BF2A10CE4B400660ECAFF182,SHA256=B62DC79B4CFCE3DC9F1FC335E9AB8357CFE33A675E58939DE1373508ABD880AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.782{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17AB69B57E09EA747D4DC9FBF42A69B,SHA256=3C924A38663D78E85B9FB76D599E81AC76B77EBE408C3DEB35D62650BDF248FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:13.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EB54F16431812D292DD6C8E250D608,SHA256=48724BC8284FCFA4552802CA94E355516BF1291FAB6A6A24875D967094042E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.422{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=96C589FFBDEA7F35FD164CE6B033DE93,SHA256=91EE0084D0C98453A69E2BF8512E0E7BFA75AE3D48E87DB42D1939CF8E6E0FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CF9-6127-5304-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6CF9-6127-5304-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.344{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CF9-6127-5304-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.345{80A11F3A-6CF9-6127-5304-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:13.078{80A11F3A-6CF8-6127-5204-00000000F201}2468964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:14.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B1775D1229A2970175BA5DB353ED9F,SHA256=357A83A4574E79F76633DEAA15CB3770DB0565A35F0BE0A7D02537294322A1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:14.797{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAB2F7DB50DE2B4C01B355DD2148233,SHA256=8C76AC3624717219B21F2AE8401246EC591B8FAB66E1E6DCA06D8B7B1802BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5810F8D481F1C950E69AB5EEE572EE75,SHA256=41F29925F112E58D0DB0DA7280A1778A736A556A174AD4DA08EF55C1A200C43D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:13.184{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:15.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4515B6602260733D550D5D942FB146A,SHA256=7CA58F0899F58BD41C4D37BA2B3647C863AC6CE54CCC2EFCE66ABF89851EA875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.703{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.703{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.703{80A11F3A-4F83-6127-8F00-00000000F201}45921068C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.703{80A11F3A-4F83-6127-8F00-00000000F201}45921068C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000274367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000274366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F83-6127-8F00-00000000F201}45925052C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F83-6127-8F00-00000000F201}45925052C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000274363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000274362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.657{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.641{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.641{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72A7660FAE1558662347ACE7925F6D6,SHA256=A30A7CB49B5F46B78C7AC40A4BC211826E18B8CFA04BE64AF6EB83C5C4DC544A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F83-6127-8F00-00000000F201}45921092C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.625{80A11F3A-4F83-6127-8F00-00000000F201}45921092C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000274399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:14.148{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64060-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000274398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:14.148{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64060-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000274397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.875{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E53D7F25E467569BE31BF04CC651C2A,SHA256=9B4D4BE0CF95CF20636005EF40546AC4D591A2D9C0A7D1EB60C860817F9E5C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:16.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80034EBFEC9449E774D3A8A7A28F09F5,SHA256=8437407E337040048ECD1B5EDA3EC2EDD6DC974989300A828607E50D05FDFBEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CFC-6127-5404-00000000F201}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CFC-6127-5404-00000000F201}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.844{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CFC-6127-5404-00000000F201}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.845{80A11F3A-6CFC-6127-5404-00000000F201}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.594{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.594{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000274386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45923300C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45923300C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45924708C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45924708C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.578{80A11F3A-4F83-6127-8F00-00000000F201}45924764C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:16.563{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000274420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:15.726{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D127546C9C1B1E376A5BB2FB17EEB99,SHA256=B0F2380F08A62A02E6A09E131389572B407CA0BA1E84FEBB3F286A07B8610C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:17.549{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FAC316E69C08485E08EFB1A640A48D,SHA256=568A6FB790DE0EB184C118094ED8C00F52FB10DB04662D730054B9E853A640BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CFD-6127-5604-00000000F201}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB42C9787D969D93879FAB4037D7F139,SHA256=1A728D612FB4ECB807276F045E6054C4E52C9E974B6123728E9178C1280E02E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CFD-6127-5604-00000000F201}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.844{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CFD-6127-5604-00000000F201}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.845{80A11F3A-6CFD-6127-5604-00000000F201}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.644{80A11F3A-6CFD-6127-5504-00000000F201}45604760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CFD-6127-5504-00000000F201}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CFD-6127-5504-00000000F201}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.344{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CFD-6127-5504-00000000F201}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.345{80A11F3A-6CFD-6127-5504-00000000F201}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:17.094{80A11F3A-6CFC-6127-5404-00000000F201}37124040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:18.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76A0B375D13E209CA8762A1FF73672A,SHA256=FBD45BF03A62CC841456CB1B79478B42CA187C103128B710F78DE39CB8CEBFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:18.643{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE22BFE0546BED5E002025E50C82ADF7,SHA256=A93B33070060315E951E8A5902C1AA604EE2A64056FA09C6731279B16D1E177B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:18.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CAC1C6A945DC59F62507CE3B0B6052,SHA256=4E423B86B1619CE585599FE304B77C98BCE97E04F8D52454C5585122EE7D8FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:18.063{80A11F3A-6CFD-6127-5604-00000000F201}49763288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:19.674{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8238711FEC376E9DEC245181A50E25F5,SHA256=43B07782D6F85B1C75A5AAA00A09443AF02FD0D57881685C609251992E3D97F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9499C7A8FF1BBF15162B2D04284D05,SHA256=BCE5614D5E48888909BA5727B4AED23217CEC21518E2F881A42D4999127784F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6CFF-6127-5704-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6CFF-6127-5704-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6CFF-6127-5704-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:19.517{80A11F3A-6CFF-6127-5704-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:20.953{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D8133E1C331785C43A2558EE4B7E75,SHA256=58C9A028962078F93AA835AA01D82984AE9A2AFC472B937DA2A5000961E6B575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:20.690{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993521F9F7CCBEA2A6A88FA0B03F3EF6,SHA256=EACC23F48DEB136FF5FDBCADD91DEE6B0F3D6E0701002ACD5A991763C87BB852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:20.703{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=764B7CD7FC2D99EDE62D734EDF50D70A,SHA256=57EF332E3950DF23BA35FB0B1773E77F67B95E42FC834666C992BDD4C50479DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:20.438{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_102913MD5=374B13951600E7ECC73B1C934DFB0318,SHA256=BAF63DB4434A10841D177DE9A7175F5025E6B77F639FC699132DF540C3043096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.985{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74ED98CB12B9EF17BDA1ADEAB4272ED,SHA256=EB842DABE3C16AA6A48B8CF39135B21FD7DDA59C4B4F379EB81DF852F87AF7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:21.737{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1EEEF6D0CBFAF6355B96859C4A3C53,SHA256=86813440CD07A50FD5F37E8F00E187C8576C658C44E022782629BFC1CB8B1963,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.906{80A11F3A-4F82-6127-8800-00000000F201}41204924C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.860{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.860{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.860{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.172{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.172{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.172{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000274436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:21.172{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000233309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:18.231{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:22.737{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1037AAE5A70C6F601AD7A4B64BCBC8,SHA256=B54B76CB976D61E237A849521B18A678A02F2F76E0943971F0F1AE805C53E252,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:20.804{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:23.752{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602F0C40303EE55643AD4558F7F7CD04,SHA256=F8BCA4D1B9793FA4571AF8BDDDCEC54D4DDC2BA8177C0845C6BB7BD1D5440E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:23.031{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF42252A7DD18C9736B8FBC59C6302E2,SHA256=5B1EACB6FB6DB0F236F94CBE343B584BC4A8279A522260638E3AAAF91B519F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:24.752{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6F547E1BCFDC9DFD26CE59FFC7950E,SHA256=7E1A395DABAF215034A96FE5EE7599C5A4483DC55204734A16834ED8E6FE577E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:24.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D61E65AFCEB5695E9B98FE7F5DECC5,SHA256=4C379B3E09C81D7DE022CFA0EB3300ED91AA78EA84CDF011C044CE327F6957DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:25.768{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADDB92CBECBAE3E9C6A078F34A6AF4E,SHA256=4DE506796B8B5E98FBAB28607471891989E0138107635BE62E4F470102DBF502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:25.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C28180FB5B8E62601B1E2999938899E,SHA256=BCD73595279F0FF5E20133C5FEC3D3CC8EC230D86421F63EA44B26494C7BBBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:26.830{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A35660E27238F99FE980BE2B64DB90,SHA256=0206587D5350909AA8449F0BF34C7AA7BD9EEF7C333BA426E6E1281A4A284716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:26.469{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_102913MD5=BB0E0CD762D9A6531B63974CFF2EB323,SHA256=58C6659B3503A510A5C3B924B033AA03FBB0EF35C84D6F8831EC205A0CD2EE09,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:26.469{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000274455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:26.469{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=8458CC0915FC3472E9141CDEB930A853,SHA256=AEB372DB132636B209ED268F5BA36D4DFCF4EDC266AE79EAD9F362ACB7092107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:26.110{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410A017C66253ACA99F9E9458A43762C,SHA256=48F8D58B4B8F3AA415E15EF492A9194F4B8874704AAC3C6AC2DE2A9794C96E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:27.846{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB8E8D95B042827F6B688CB853B9E13,SHA256=B4AAFF6BF6A9D771CB6071EDA992800DCC8FB5A5D6085DB97D144E984DC50006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:27.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D15225527A07F58BEBD7335E40AC5F,SHA256=BF11B31E9FB6DF7D6C801334BAD7ACCA50D76EB534FEA16792D2383947FF4926,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:24.215{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:28.846{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1601B42475E85318681C852B0AD5D781,SHA256=FBE7CA1F27503E12E04341532A95DAC2B7033FD54FF92B1BB676905E1133AD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:28.156{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3491AA75A51B5021A0446BB46F2514,SHA256=743655726B264AFC65A97CB53F614BDDC4ADC82E0083976318149ADB95D802A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:25.820{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:29.862{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C5B1438F5B5E2BB4CD6BAF4BE12B29,SHA256=5C719CA69F2D564298B8565C257C82D6571E1D483DA66BEE40EEDB945843EFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:29.188{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D229F4E4619FB51C3C167101E8EC2F96,SHA256=299D2F0C8E2E3948AA9B4959F93680A2D0E825A1C7848ABF61FE47203CDAB601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:30.862{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D34F761954CBC4DA03C6477956B77DD,SHA256=8DC6B126137B95544475D06A250AB5858946FB8CD6D64B50827F96EFE3B2B401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:30.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC10557ED4FDC54AE9B92E6B733FFA1,SHA256=14481FF13AAB011CE3932CD573C97B08448E5AC6C004D349191B16AA14E0A21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:31.877{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961742C07995D5B5F8069A16C7D98423,SHA256=83E282F968045F78A16BDE8C53B74DFD9F5085D09BEB82DDE3FDDA87C7194302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:31.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA1E3E1595FA15C2BF7D929280BCED5,SHA256=8475D7F3955D79424C82D747E91B78BB4D10325D6453471FA52E94E042527EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:32.877{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE05CDD1F9F72947AEEB242809E8A5D,SHA256=4B0F751A04E296E778471B5A86CB6E631CD5E488F6DCBD8824123442A8EEA754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:32.250{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80D242C38846430A9235A12223F94B9,SHA256=64AC7AE304F210675BA69F34E9FB0AD5AE43A864F0F0EBE563166C1241C0C7AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:30.184{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:33.908{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BC4C473B661B1747447AF9A54E60B9,SHA256=BBBBAC89059AF0D91B5252331D2171DA8F7F18D9AFC2D3B19EEE08A8E5F5F6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:33.375{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=0E342A0F5764FAA1ADAE72548885B456,SHA256=9D540F7777E60093E05A28C9DA72430048B6B583ACC1A1B7E34536EF9BC52298,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:31.679{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:33.297{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264E14B41014CBA8CEA17C2E19A838B6,SHA256=04C6F18088D6A4A8B46035018F46A4416F4BC24794AF01DEE486E2FA63092DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:34.908{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6067D609A762A0AF2DFD6340EA7344,SHA256=7763BA2F1127B8E49951E7B769AC3CACB051440E0940708412B482E25F3685CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:34.313{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6604B910CFFD07F3F14CDC76C7B02B0,SHA256=453D6D54FD8B215C004197ADCEC177B21915474070ECFE38B116CA2471CAF26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:35.924{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB43083490DB6BAA4F3992C71AB958B,SHA256=E1E7492BBF4AAAE7D9004B5210E0131549189AABCD9FD7D50605B0E58084C3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:35.313{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166732663A4E498AB961AF0180705411,SHA256=7E377E1B8A3DB38633A6E9312F9B709C8CB9605ED291643C42A9DE616706BD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:36.955{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6182D38BAFCB40FD9E99B57A50862CDC,SHA256=F8611731D6A33DE34CC9C028199738F015D34A94ABCF1B287B9FFE85DCB6EC93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:36.703{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.ps12021-08-26 10:17:55.623 23542300x8000000000000000274471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:36.703{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.ps1MD5=2FC3FCC264DFE2C6A747F1A8D6FEB04E,SHA256=33C49C6687B19F811BA4FED0187B89DDA9E680A9DC3F034046920A3426E6C427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:36.328{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F9CE70B2D11F8CD9432AE2ABECFBCF,SHA256=7FDFE711FCA0ADBFB33D4789D82861ADC7F9D375FA4F0EF3D8700A74DBB8B38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:37.986{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD893117F9CE5D444E6D141CB9C37B9,SHA256=D197729434CAAE8EE92CDEE9213FEA3BD5029C82528F5AF0A9DC37F2477317CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:37.360{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836B61CE45E0423695CDD9C42440D91A,SHA256=94CC3BD0CE05451257B18D7C3CB294745B7C5F233B2A56DD2308F794DADF16D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:38.375{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716D4EFDA3324CE689A42E769BDA8ADE,SHA256=944D8D88338660516F409DEA4E859B06E695686B4037C755DC2ED9B35CEE87D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:36.137{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000274476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:37.663{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:39.391{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F586CC2FA237F4FB074E95FCEAEA1F9,SHA256=1BF10E350C48B19B75A8213C1E4B2EF5CDA6E990B6169E8CF60089DF35B9FACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:39.002{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193B9AA7C31B370E17B1FBB1D3C364FB,SHA256=7A636557AC2F7C23EFF63ACB3A9C0F1C758FEF805FF2A29A14DEB5F6E27E77E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:40.859{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_102933MD5=A36D633985219B75FDE617074E6CF194,SHA256=594E7C77D37219899905D39B62AA6FAE10F78ADCA0D5B6BFA2C946EA9C24C979,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:40.859{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000274478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:40.859{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=B1E3AE13E887E59D4410AB81A9DF706F,SHA256=3683244093236F91C0A93B9A1F37EAF4B516E54E5045C3EA03AFACEFCC653A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:40.406{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02E3E89081B84FEE706985CDB104824,SHA256=DBA311B86AC3E556B7B33935D804792C09B50704A7AA64AEC3353B4831A0C9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:40.002{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA88E9180039D22753B60BE94BB25096,SHA256=CF55B36186128D1734110586543597F1B790AA7E41C747C598E43162DB3BA0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:41.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900D6F890609F89725B504EE440710D,SHA256=83C641C8601EF3D67BBCF536D0750AAA5F7CB8F0FD8C7B85880F06E08C3ECCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:41.033{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEFE52C0582976D268C481F6CE05F1D,SHA256=1019998612D84346A29981CEAEF9F10F4FECDA7F4AC4A0D28F3BDEE5D37BD993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:42.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5D43B9706E82D44A2180864409DD3B,SHA256=C389FE7504A7877230B63E7BBA91D47431E747D17F9852B11FA42FE5B8ECA364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:42.049{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741BFF2FED1718C9C76E1ECA21D8953E,SHA256=0E0C82C7309575E50CA232AD34C4CB8F01B4DB6E3C47DE2F117F94F74B7B8840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:43.453{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F14708432A7A6A7876E190DA38DB63,SHA256=5687A110B5A3377598259C876AE7030C9E8152E24DE86E25D180EEAD50C0AEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:43.455{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8F18EA7A8A4E7374ACE4A7E05D568389,SHA256=D8B8FF8EA70DAEB1F4ACAD1E7D551E60F7B438E0827D1C449729F5AC7A190201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:43.096{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9B631B4ED994D35E89174CD5BDB0FB,SHA256=4E204FAEF46FE368ED26AE4B4DD2AF6A7C68433286050E35B0FBFEE59A5F2BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:42.741{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:44.469{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FD977D0CFD139E8886F5D0A1C79513,SHA256=18AB625E4707737005E42D1ABA68AB4E7548F703F8733E00CA57C42241195515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:44.096{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCB1A3A1515032B3B398512443B61DC,SHA256=3087D24582217EBF4C3E4B76667CE87BF007617F0B2B35427B6B7753C6611496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:45.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1098C4C8ED149358D4A6356F0B094A,SHA256=8CD0445EF8E5F2C63D18D36F716DF9A742D7DAD7B28FD682BB22A6BF6091BFF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:42.091{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:45.111{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865945E25C799E0C93A9D9BD37034016,SHA256=D76D1B7B21CE7D45AD1BD6394625C67BD68A907790F9B20D2D9EEFB880F50D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:45.234{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F22B313F8AF292A94D29662EE30BC087,SHA256=321E69BA340C3B14EAEE479CDAA731A44058D04D4F09570978D3212AC025CFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:46.547{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D35854C1B167D1E916E9FD63F0A4C7,SHA256=89F89085D6CDD85CD9952632896DFD79D5D9B40977D7A2B2130FCDAE1F4A9960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:46.111{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2C536CD5CF254C937CC38953D96C21,SHA256=95D1BA648B54A53A9A9E4055FE5E7535DF3300AB0909F10ECD25626BDB68948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:47.563{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AFBAEA7C76A5D827ED067AEB4B789B,SHA256=DB5987C2673C34F23EF59140D0AA52095977FE37ED36DCC720AFF21EC87CE956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:47.111{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EC2EEA626B31B529D6104FBBD0BCC2,SHA256=D22C8EEB0C00675B5A3AE529C94B5FA27E19F86F75E89BF4DED9A431AD097BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:48.609{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6975EB9FE505D5B9957C210154C6967B,SHA256=47697A12E9C9FFBBAE05F156ED1FE3FA0F82AFDBF8160CD989D2F8B1BEE25209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:48.158{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB0EE43C43FEAD6D48A5E6F0FDE7E55,SHA256=9EFB4FBA80D8C936ACF4B521EB452970476E8F2DB82B3BB5A39DD1F6F22B0C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:49.750{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:49.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A893F27BE9D35BCCEC9114BDC62D4D,SHA256=11FC4178DEF967548BB331D50010CCB521BA2EAE61575723560B9CFF25CFA09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:49.205{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265A1B75E3E42F40FA4305F7B6A88391,SHA256=45263031863CB2A472473A96115CBB3335177B8CD9FC40074537577699E2A52E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:48.743{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:50.656{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A43DAEE2423BC4710C04ECF2CCADF3,SHA256=EB1E72DCF68B1734467F4B06BB1763FF04EE0934E79E207CEC144E8A7D874C08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:48.059{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:50.236{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116CB06107B7F6B30794064102EBC5E2,SHA256=684A9B16A29AFF307DE3E7EFB5B5117369F1868FDF2D944F876CC2B1AFF87442,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:49.304{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000274495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:51.672{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1B4587159A4EF872CFC1E20DB8B799,SHA256=25FEB6A0D37E2E4CCA74553E1CE0F6E63EB0EBF78945A4C43A7C0DBD10588795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:51.236{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C8FE62380BF8C669CFB220960C5B04,SHA256=8ACB64B0EF76E3AF375403C73E9D9B23FC3CE70F6B1599E2C5A948C6FF435C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:52.703{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020EAB85389B40D996D6E176396340FA,SHA256=3A3C30EFB48578955F5A7D0B5CD2B63F82803CB4883CB7D7ABBAD358309DCFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:52.252{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D932338AF6674C79103AC6DFAE27B3C1,SHA256=4CB4BEEA0F6D09C6ED3742F377D2AA056599E15800D8627B0AA8FED5DCA4EBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:53.703{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47EEF52DF1BB0FC948CF54350417AEC,SHA256=388F677FE971669A9D9FC2894321E943553D37C6518E2DA48FC0BCDC48A40C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:53.299{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8004A0992377B7338FA9722DC31403B,SHA256=4B6463170F4F8D869B78392889EFB54FCC14D6B2F745193E0C361694568F2A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.734{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5ABD0F27C32318C8AA07F8B18549A1,SHA256=66346EED16850B66E4446E917CE466D7C87F30C6FF9E9F56E5A28B8E1EAF0657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.721{D371C250-6D22-6127-1304-00000000F301}11884084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D22-6127-1304-00000000F301}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6D22-6127-1304-00000000F301}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.502{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D22-6127-1304-00000000F301}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.503{D371C250-6D22-6127-1304-00000000F301}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:54.299{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DF0552FD99DE8113A409D8729A5B3D,SHA256=2DC2CC38AC8CEFFABF36B910165BBB4E096781093FC8F00E56DC89904AA1B0B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:54.281{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000274525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:53.761{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:55.781{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F618480E7ACA8BC47FA49D2EBCB0F4E1,SHA256=266C1AFE48E0145083818C8C518EE091549BB52ABDE87E164527E57EDB85E576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.965{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A3D8DE9D4A94F28F6CCF06E2D69DA1,SHA256=D9D2E9203A119D8D5C774C6D969CCA3ABF61F74B4413BE65F6E7A0B97D37101E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.965{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B099A1B71EDCF8DE1F63868C066C8B,SHA256=60A23AD2F53A07C5E42164707414C218B17A8972F5C1CE1EE0E6171F582B3600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.965{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42D30C64330515D5E097105AC29257F8,SHA256=F601A54AB0E72DB4971A9A1A64C981CE695D913236DF2C46848115D7A3097AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.639{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-124MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D23-6127-1504-00000000F301}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6D23-6127-1504-00000000F301}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.489{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D23-6127-1504-00000000F301}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.490{D371C250-6D23-6127-1504-00000000F301}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000233375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D23-6127-1404-00000000F301}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D23-6127-1404-00000000F301}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.002{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D23-6127-1404-00000000F301}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.003{D371C250-6D23-6127-1404-00000000F301}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:56.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F2CC89960AFF2A3C3071C9077730F5,SHA256=10CA029FA36672CD62EA06E731E3BF6CF00A11E43FD27A713A8DB450578A80DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:56.627{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:56.623{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:56.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1C575DDB012E3494BCB1CCAFB68EE4,SHA256=36581E5B6F6EA0363D945C878A53F641865C9EC3B38D2A4A2BEF8EAAC534CAB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:53.091{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:57.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B0E92D825584899A204C3B3E15E7B9,SHA256=210E6662ACF48BFE5720CF231151E72FEE686C1097D43969728A0CA3CB742DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:57.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F57D23FB26BAB30A8DFF966EBF607D6,SHA256=9D66903D1CF5F4AC07962661CC9A3144D0F9C9535D03ED7F00854001C22761DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:58.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A515180D826E8F2AB78842D0A227CAF1,SHA256=1CC4C68416A048EEC60F5B8C436413A9CB8CA33D81764424351B5EF28FDB943D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.559{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4963FEC39946F844833D9DA548007E5,SHA256=137912463DE7DF5AFCDFCA7A7054AF136A55D7982DF7370FF7D729E0E5A6E045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.512{D371C250-6D26-6127-1604-00000000F301}5801892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000233411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:55.585{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000233410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D26-6127-1604-00000000F301}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6D26-6127-1604-00000000F301}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D26-6127-1604-00000000F301}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.200{D371C250-6D26-6127-1604-00000000F301}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:59.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F32EB2EE953DD292538016ECC9F37EE,SHA256=B407E5D9AEF9C5A5BB356CBED5EE33FF23E1B07666102D7F83569206188477C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.575{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF9DA8DDF6EFBF41D9AB3729D1DED14,SHA256=9A598138D52E7E39CD7E51C4F29EC42207CAD858BB2F957963645C9317A5F62F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.497{D371C250-6D27-6127-1704-00000000F301}40883532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.434{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A3D8DE9D4A94F28F6CCF06E2D69DA1,SHA256=D9D2E9203A119D8D5C774C6D969CCA3ABF61F74B4413BE65F6E7A0B97D37101E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D27-6127-1704-00000000F301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6D27-6127-1704-00000000F301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.340{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D27-6127-1704-00000000F301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:59.341{D371C250-6D27-6127-1704-00000000F301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000233414Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:29:59.012{D371C250-4F15-6127-1500-00000000F301}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a65-0x5213e57c) 23542300x8000000000000000274530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:00.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47201A98A78B2A2C96BB7567B93FDEC,SHA256=483A72C6199B1FC01517F0AE6DA896707BFD31746D5AC774BE7E681B5E354A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.590{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E3FEE2BF100DA61FF0ACFC1B9464C1,SHA256=A7F3E9C49D061412D599ECFBA6228B4FE966CE9420D26B170F831F495AB3F5C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.200{D371C250-6D28-6127-1804-00000000F301}4081136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D28-6127-1804-00000000F301}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D28-6127-1804-00000000F301}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.012{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D28-6127-1804-00000000F301}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:00.013{D371C250-6D28-6127-1804-00000000F301}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:01.969{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37A5AD30058E09F7A79EBF02C1030A5,SHA256=69E1198C55F71837D332EDE511E7616F266E86C0E1F87A7FF15F12525A4543C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:01.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7636D81922B2914146C8009D6CD3F252,SHA256=B411A2B2593FD0096B19F7D30A3703EBE6E027E1A722FF010BC4621AE9429972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:29:59.710{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000233447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:29:58.242{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:01.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A63EDEE3C64A8F62D1A4C10323B3DF,SHA256=B74B456BEE9F55754B6011B6F92ED0185C9C93A9AAC66715A055B41916575C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D466C80D5752B6751748965B8B6322,SHA256=469DE652D048CE67562401C368BC3BEE6CD7ECE095A0A8EDB274A4C9E512B0DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D2A-6127-1904-00000000F301}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D2A-6127-1904-00000000F301}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.012{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D2A-6127-1904-00000000F301}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:02.013{D371C250-6D2A-6127-1904-00000000F301}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:03.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D5A21654EA6CD0C288FE7C4EC9352B,SHA256=0680F33BF1DDFB16811560DE6131CD328F2A15C8B72760578C6D7B81CD105271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:03.000{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4E6DC956C04EF87C1928D8AA52AD96,SHA256=6D81B23B93979598E35591E6072F4002AF05712CC53956A583FEB588817DAD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:03.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509F8D6A12AFF749E5A50609A4B9221D,SHA256=05181F5BB4296790666C9883824A5F2E59E715357BEE119200CF2E7856B2C43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:04.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E887B083DC6BB186DBA413597737CDD6,SHA256=BB35DAA4869A7C8FB76EE09E1730D95DCE0625C442472EC7D172333CBCB3582C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:04.000{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84446DB7CB2B0159945AC1924210A746,SHA256=5BB848525521B2056DD7537D6F8F7B6CC54F6ED272E18EEB0864964530895B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:05.637{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6729ACCC264AA84B7D0A74A026293A68,SHA256=152F464261CF9DF5B376C5A388A4821266F5C4E3205D6C151244D9D8E0BFE73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:05.031{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89D93EED2A49D391B514AD16FFA648C,SHA256=F36009396B70A8E97EDC37171CF1BC1B9667C7EE9496419BF2BE33ACD0C68FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:06.684{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05D4EA7A43358FD551D5FD95A1004F8,SHA256=2AEA4989A3CDB2794905E73FA334A809571855CCBFD12D077694E136E981EA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:06.062{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF159E3F859B6F0C01C19699AD90FE6,SHA256=604C93677BC9E0E71FC2DFF3CD5FDCE79FD19E468214E22F985655CAE0274525,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:04.085{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:07.700{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7759B164B3615D9AB00CE969BD91D3B9,SHA256=FEF163A39CCD4C5C538D30330BDEB477AA779D983CFDE0440E97657D288FEEFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:04.808{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:07.062{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E9D5E9794F5CFE84024BDF1DD1410D,SHA256=031D14766E4052BCF64091FEAB9827447E0E578D91C5A43BC277F3C6CF9E5689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:08.700{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60A616FA79EABCA2B6F0D22531143A5,SHA256=2FBD7B4203B958936458236D8215C0BFE065F56814CB9475CD55D04DB3AFEAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:08.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83154FD7FD0914C3D823DFCA2B220D9,SHA256=6D66734A15FA95D9597FF41EAD2667964BB11AA4325779796B1C3A035350C772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:09.762{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B782DDF708FCAA396D0D124288D207,SHA256=9F30AE672F67FC6352848F0F84A4BDD08D5A55961259DBCF3E54556E3683C881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:09.125{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D17C52C5C727D365C580044488EB64,SHA256=88E2A5781B32CE14FE9A389BF05CEB6122417F505CCAD82A07700AC9054FF34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:10.778{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA12C6FCBAC231E84450C767542932B3,SHA256=7DDCDD1335E01157ED2E5AD87FCA45B2FA7841E924CDF9BF7D05DF983BFDC44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:10.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE142D112A8E16798FD5352A77A5B355,SHA256=23952DABBC316E918D1F9C0B2CEBEED6691C46D158FE4B08DED89D15899942D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:11.793{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0263F2DEFC622950BEF68FB2CF549C33,SHA256=6F373076B2ED32AB059147785757906509235CBFC7D4586F1234039E53D27F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D33-6127-5804-00000000F201}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6D33-6127-5804-00000000F201}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.812{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D33-6127-5804-00000000F201}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.813{80A11F3A-6D33-6127-5804-00000000F201}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.234{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.234{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.234{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.172{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.172{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.172{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.172{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:11.156{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07D2B88AA938EA0C81A3C2EBF0B28F6,SHA256=0CB371C9F63BDF48FAE6AAC9819F925A79B11B01D36CDAA837FCD6CA776D8301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:12.809{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754E5FE08B75C15425F4E1E97293D5FC,SHA256=735A3AA1F973931C32D1AAE6543E4FB63BC6D4AF4449622629E58AB161A58C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC6C12878F3012B7ED391ABAB7598887,SHA256=8A3B64450042444EC46F1769A3F631E8C53DD04630087057534EAECD295FDC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C283F832907A23868FB61FC9EC2251F2,SHA256=5D6673A2767FA0C9DD0E80FE8B79A362EF2485B1AB3037F6BF7871BD4B27E7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.769{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-124MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D34-6127-5904-00000000F201}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6D34-6127-5904-00000000F201}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.720{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D34-6127-5904-00000000F201}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.721{80A11F3A-6D34-6127-5904-00000000F201}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:12.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38653B9B3C7952B11ECF2BB56B4682FD,SHA256=7A75A73E6324A9E40B4AE07C2D76F59EF5B1F5404A01CB8E5ADD5E07A3C57916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:09.210{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:13.809{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4279806EC5FB2FD7478465527DF5FE04,SHA256=5FB17F39C124634BB06E57B7B279EBBE1A5A7035B8B32C915DD8B6066F57253A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.782{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.563{80A11F3A-6D35-6127-5A04-00000000F201}49401548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D35-6127-5A04-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6D35-6127-5A04-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.312{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D35-6127-5A04-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.314{80A11F3A-6D35-6127-5A04-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:13.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47091C1EB62EF56B4E71699B2302BC7A,SHA256=E0677C4DE5F2DE45CA2DFEFF8AD2E83E028A0C121806917793A81AE0F0606B81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:10.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:14.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3674FF6A0C46CF2E8BB5CE6F0D8A8CA1,SHA256=A89244B6C6F075365BBC17F6D0F126401DA2DB485EEBE1C418B3AD338568E70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:14.316{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC6C12878F3012B7ED391ABAB7598887,SHA256=8A3B64450042444EC46F1769A3F631E8C53DD04630087057534EAECD295FDC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:14.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF85D43CDA711E6CC1264AA9EC9E747B,SHA256=D812B384935AC25A327D50638AB1DD7C65D01A282438A869713D76A418C7403E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:15.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5F4CA73C227B416906A4701F31EDB5,SHA256=AC74E71761DBE6E65B2FC954DD992D5F3BA11342708275F5D10A1537FC96570E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:15.598{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D8B4DB6E126519B15612D46438EC241,SHA256=8927CA8C3CB091F9F27C82DC8737EB0EB8767126D675DA3AB926018AB440C8FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:15.207{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93778F03993AEF4D9535E9F30969DFE,SHA256=4DEE45961E54B78CB12B46BDACE45293DE047E720B20F6CBD3D84B2614A2995F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:16.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B6E54802FBFF2501CB2814EC3D55AB,SHA256=80C4574360E7C92D4DB6BE8690EC87A91F1944CBA8F9847A6EDBEE5CB4F6F25A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.895{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.895{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.817{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.817{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000274661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:30:16.770{80A11F3A-6D38-6127-6004-00000000F201}4540\PSHost.132744474166094665.4540.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000274660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-6104-00000000F201}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-6104-00000000F201}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D38-6127-6104-00000000F201}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.757{80A11F3A-6D38-6127-6104-00000000F201}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.754{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A920828058F3431D5286A20664AF1AE0,SHA256=E0A852AC47B0F1C1505E497DF47434F964C29950A8B4AA35D41F5372B2567890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.738{80A11F3A-6D38-6127-6004-00000000F201}4540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ovih1rzr.0vq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.738{80A11F3A-6D38-6127-6004-00000000F201}4540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_acyeedxi.kxz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.707{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_acyeedxi.kxz.ps12021-08-26 10:30:16.707 10341000x8000000000000000274648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.676{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.613{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.598{80A11F3A-6D38-6127-5F04-00000000F201}24205072C:\Windows\system32\cmd.exe{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.609{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-ADDefaultDomainPasswordPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6D38-6127-5F04-00000000F201}2420C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-ADDefaultDomainPasswordPolicy 10341000x8000000000000000274639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-5F04-00000000F201}2420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-5F04-00000000F201}2420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.582{80A11F3A-6D38-6127-5B04-00000000F201}2576208C:\Windows\system32\cmd.exe{80A11F3A-6D38-6127-5F04-00000000F201}2420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.592{80A11F3A-6D38-6127-5F04-00000000F201}2420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-ADDefaultDomainPasswordPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" " 10341000x8000000000000000274631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.566{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-5E04-00000000F201}4760C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.566{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.566{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.552{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-5E04-00000000F201}4760C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.566{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.552{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.552{80A11F3A-6D38-6127-5D04-00000000F201}15445032C:\Windows\system32\net.exe{80A11F3A-6D38-6127-5E04-00000000F201}4760C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.557{80A11F3A-6D38-6127-5E04-00000000F201}4760C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 accounts /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-6D38-6127-5D04-00000000F201}1544C:\Windows\System32\net.exenet accounts /domain 10341000x8000000000000000274623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-5D04-00000000F201}1544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-5D04-00000000F201}1544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-6D38-6127-5B04-00000000F201}2576208C:\Windows\system32\cmd.exe{80A11F3A-6D38-6127-5D04-00000000F201}1544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.520{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.529{80A11F3A-6D38-6127-5D04-00000000F201}1544C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet accounts /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" " 10341000x8000000000000000274615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.488{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.488{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.488{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.473{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.457{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.426{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.395{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.395{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.395{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.379{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-5C04-00000000F201}4756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000274598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localInvDBSetValue2021-08-26 10:30:16.379{80A11F3A-4F17-6127-1400-00000000F201}1032C:\Windows\System32\svchost.exeHKU\S-1-5-21-3401929934-754655068-3831493345-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\ad2.batBinary Data 10341000x8000000000000000274597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-1400-00000000F201}10324140C:\Windows\System32\svchost.exe{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-1400-00000000F201}10324140C:\Windows\System32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.363{80A11F3A-4F83-6127-8F00-00000000F201}45925084C:\Windows\Explorer.EXE{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.367{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" "C:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000274588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.301{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A203651FAB6E36FF12E82D05E52414A,SHA256=5CC04CE7468D907F756A04E7474F42808D335AE74471DACCC4436332DD967C88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:14.152{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64073-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000274586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:14.152{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64073-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000233480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:17.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFADA645B32A275DB5776BF452D38728,SHA256=0EF285F1EAD44CED363BE2A12C0E8BBF46373A5BE4A69A561D799D2C9484D293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.926{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.926{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.879{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.879{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000274709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:30:17.816{80A11F3A-6D39-6127-6404-00000000F201}5104\PSHost.132744474177167889.5104.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.801{80A11F3A-6D39-6127-6404-00000000F201}5104ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qfo5zy2p.uxk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.801{80A11F3A-6D39-6127-6404-00000000F201}5104ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qzz50k04.zlp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D39-6127-6504-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6D39-6127-6504-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.785{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D39-6127-6504-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.786{80A11F3A-6D39-6127-6504-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000274698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.770{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qzz50k04.zlp.ps12021-08-26 10:30:17.770 10341000x8000000000000000274697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.754{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.707{80A11F3A-6D39-6127-6304-00000000F201}1722356C:\Windows\system32\cmd.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.716{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-ADUserResultantPasswordPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6D39-6127-6304-00000000F201}172C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-ADUserResultantPasswordPolicy 10341000x8000000000000000274688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D39-6127-6304-00000000F201}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D39-6127-6304-00000000F201}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.691{80A11F3A-6D38-6127-5B04-00000000F201}2576208C:\Windows\system32\cmd.exe{80A11F3A-6D39-6127-6304-00000000F201}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.702{80A11F3A-6D39-6127-6304-00000000F201}172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-ADUserResultantPasswordPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" " 23542300x8000000000000000274680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.660{80A11F3A-6D38-6127-6004-00000000F201}4540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.520{80A11F3A-6D39-6127-6204-00000000F201}21164016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.395{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FFD947AED06CFB63219BF0BBCD6607,SHA256=44BF9FEFA0FBBBF87D1ECC2BB448B7EF01002C61067CD2C973F71A8DF69A424C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.395{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD17F7D14968A7F267762044E4E79FB5,SHA256=011534B2D7AD1E8DA39FE800FB0FA00B54254A82906B42B3996B09144047FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.395{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61952E473C23C051F97F89287808E811,SHA256=28BB7C679D8982A4731397E0730558DA89E8F0E68C624E203F9C23636333B543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D39-6127-6204-00000000F201}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6D39-6127-6204-00000000F201}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.285{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D39-6127-6204-00000000F201}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.286{80A11F3A-6D39-6127-6204-00000000F201}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.082{80A11F3A-6D38-6127-6104-00000000F201}48802764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000274666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.066{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000233482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:18.856{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69402B9980B064CB8E8177FD23A57A26,SHA256=8992F754B457485CFFB6B2E823BB9EBD8346B2B71715CAF218030C8514D0FDA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.179{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64079-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.179{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64079-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000274727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:18.691{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06BE669D0C5DF4C0497AC3C67144FE83,SHA256=67AF527C05BD851F302FDF4959190FC96B025A01D8C4E7F8202BE1126B48905B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:18.660{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEC87471940E8D5869D56AA9081AB550,SHA256=23A70BA2AFAB330B3EDAA1B055BF689B042FFCB918BB29D686608D02ECBE8B20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.136{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64078-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.136{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64078-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.990{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64077-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.990{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64077-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000274721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:18.566{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA739C53ECEBD2CFAB71039E4D3AB7FC,SHA256=0B3682975643DC06489A426D836BCF61B05339F3A6E7ECC6D142A5491C9A193D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:15.101{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000274720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.793{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64076-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.793{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64076-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.745{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000274717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.634{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64074-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.634{80A11F3A-6D38-6127-6004-00000000F201}4540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64074-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 734700x8000000000000000274715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:18.098{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000274714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:18.004{80A11F3A-6D39-6127-6504-00000000F201}47841744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:19.856{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124218879E0C30C19307694C489B26E9,SHA256=F2A1BCD6685C83B583239BFCA37316E9AE30F67A3B76E63EFEE63EE8E09194E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.738{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A86ABBE14BC48808207F49A30076430,SHA256=10E04140A27126104F1A5D934AF6EA60D9F44B08F7F9C23B82C19AA9BACF955D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6D3B-6127-6604-00000000F201}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6D3B-6127-6604-00000000F201}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6D3B-6127-6604-00000000F201}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:19.505{80A11F3A-6D3B-6127-6604-00000000F201}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.667{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64080-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 22542200x8000000000000000274730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:16.632{80A11F3A-6D38-6127-6004-00000000F201}4540win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000233484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:20.887{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1071A00661CDFB2BE6CB522D3D9062C,SHA256=CF0C82A0588196EA77707EE256F8B2154CA38E152C7B51BC58F87FE4DE810A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:20.769{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F97E678C385EF27917A28624F54E7A,SHA256=8155F41696A259DAA78DFA8047B81BC6118B92E7E4C9051D6448CEA99823486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:20.582{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15DA4CB19BA8013904E8C387501BFB96,SHA256=3A5D9682664EB739B2890EE5D09C9A9396B27C01BF417F21E8DF98B581C2B8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.764{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64081-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.764{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64081-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.667{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64080-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 10341000x8000000000000000274744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:20.160{80A11F3A-4F27-6127-2700-00000000F201}27962320C:\Windows\sysmon64.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:20.160{80A11F3A-4F27-6127-2700-00000000F201}27962320C:\Windows\sysmon64.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000274742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.666{80A11F3A-6D39-6127-6404-00000000F201}5104win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000274741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:20.082{80A11F3A-4F27-6127-2700-00000000F201}27962376C:\Windows\sysmon64.exe{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:21.903{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B285DCD2702AFA894A10291AA904CFE,SHA256=BF33114763A80ACBD386C2BFAFD521E7C15199EC2B987B9351C46B9B54D9A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:21.801{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E025B81B0C39A3FDEA1C9527309D9918,SHA256=152C53F53E73C109216B9084965652E2208615BE5AB714CDCAE1AE516F8175C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.919{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64082-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:17.919{80A11F3A-6D39-6127-6404-00000000F201}5104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64082-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000233486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:22.903{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3591C5FBC229B10D7A465AF6C202DE,SHA256=078FF3554FD2AFAF3163D3FFFDC423A339EAAA250535814EEECF61F9B9A7B345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:22.816{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFF50BE5BF6F45D9F7FFEF2A7EC4C8D,SHA256=ABACFC44A2CE7B1C1AB1187EBB49C040783A3A9ECD7B4CE67C13B6900954DFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:23.918{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5F99FBB8F96D535D1C8BA5AAA73719,SHA256=A47A82448B82F13889213CD647A816F15AE598C5E4E43008FA9EA21D053E4FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.942{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.942{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000274776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:30:23.879{80A11F3A-6D3F-6127-6804-00000000F201}3500\PSHost.132744474237278575.3500.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.863{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615DEF4436D195B7671B3902D8BC509B,SHA256=8C8E68C612E3D8707AC88EE8314D54FA3560FFC84E451E739071A0F25894ECAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.848{80A11F3A-6D3F-6127-6804-00000000F201}3500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ygfxpsjw.enb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:21.117{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.832{80A11F3A-6D3F-6127-6804-00000000F201}3500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k33shsp5.lln.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.801{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k33shsp5.lln.ps12021-08-26 10:30:23.801 10341000x8000000000000000274771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.723{80A11F3A-6D3F-6127-6704-00000000F201}50321544C:\Windows\system32\cmd.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.727{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6D3F-6127-6704-00000000F201}5032C:\Windows\System32\cmd.execmd.exe /c powershell Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1" 10341000x8000000000000000274762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D3F-6127-6704-00000000F201}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6D3F-6127-6704-00000000F201}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.691{80A11F3A-6D38-6127-5B04-00000000F201}2576208C:\Windows\system32\cmd.exe{80A11F3A-6D3F-6127-6704-00000000F201}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.700{80A11F3A-6D3F-6127-6704-00000000F201}5032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" " 23542300x8000000000000000274754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:23.660{80A11F3A-6D39-6127-6404-00000000F201}5104ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:24.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28A1CEB748099665074856CF9C20307,SHA256=C9976EF198282A877B5FA84332E739ACD363337196C82B780D0D6C5DF6527790,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.926{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.926{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.926{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A44A6CA1A2D9B1ACB0C18F7564EA82,SHA256=E1D1B0CE80531219565B2A0020B4AA93B7856796F306B13CBCAF377864B3B57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.879{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.879{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000274806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:30:24.863{80A11F3A-6D40-6127-6A04-00000000F201}1160\PSHost.132744474247778473.1160.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.848{80A11F3A-6D40-6127-6A04-00000000F201}1160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gqdyn0yq.5hc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.848{80A11F3A-6D40-6127-6A04-00000000F201}1160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jcqjr3hv.utu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.832{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jcqjr3hv.utu.ps12021-08-26 10:30:24.832 10341000x8000000000000000274802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.816{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-6D40-6127-6904-00000000F201}4244016C:\Windows\system32\cmd.exe{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.777{80A11F3A-6D40-6127-6A04-00000000F201}1160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-DomainPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6D40-6127-6904-00000000F201}424C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-DomainPolicy 10341000x8000000000000000274793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-6D38-6127-5C04-00000000F201}47564708C:\Windows\system32\conhost.exe{80A11F3A-6D40-6127-6904-00000000F201}424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D40-6127-6904-00000000F201}424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.769{80A11F3A-6D38-6127-5B04-00000000F201}2576208C:\Windows\system32\cmd.exe{80A11F3A-6D40-6127-6904-00000000F201}424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.770{80A11F3A-6D40-6127-6904-00000000F201}424C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-DomainPolicyC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-6D38-6127-5B04-00000000F201}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\ad2.bat" " 23542300x8000000000000000274785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.738{80A11F3A-6D3F-6127-6804-00000000F201}3500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.692{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B42A9127990618B6D2E3D714935D4F28,SHA256=F38ABFF84DDA033E1C608F4F28114FDF3E4EEC61BBD51A297FE8EC017A0F8602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.629{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CBC96007DA9FD1213494D2F1C22C0B87,SHA256=B434E00AEF1BB180792C335898445C3CB8AEA7DA046DCDF955DE67873F6C3FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.535{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=465B116EA2431A9E94792A7ECCC768D0,SHA256=32E139C97B10AF19F5FE9FAC382B7F445835EF40EFCC71F08FC0BB21BA63179A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:22.730{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.004{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:24.004{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D3F-6127-6804-00000000F201}3500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:25.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035BE2C382786E472E3E7EC1316E849F,SHA256=0C1C66D51FA7279D62B66E6E054D40EA5A3DC92231D043010237DF3AC48E14CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:25.894{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7F11696391A231A9A4B2B704E382DA09,SHA256=B49FE2C7C06B182DCEF663CF5D6CF3112A0EAE116368A7AAD1F8834385FC256A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:25.894{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1689AAFC9D24BD6D46AA118573761F,SHA256=64C589943CF800C26D0C4AB20510D04331A46CC363C1E2EBB40DC3256D1AA350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:25.863{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEAEAACA19D762ED743575B18F924C3,SHA256=7AA76556305D12FD06B4ED08F88567247F1BC1A057EE5509E4C9A271EE39A0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:25.144{80A11F3A-6D40-6127-6A04-00000000F201}1160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:26.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EC9DD2F4FF1AA29D06E74052285C4C,SHA256=A637541D4E1EAF33D8A9AEAB2F0D9CCDC00ED9FE313B9AC2741151AEFB3CD265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:26.910{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7CFEADEE5C0E2819E53726A6E41EFA,SHA256=2A36C09BC9AA8A191290627E2A76A4D3B423D8C5EC8441D4E6FC79A3C6D09926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:27.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEE58B3F027D9FF21FC6BD709C03A2A,SHA256=2349C43AEA930FC23DFD852D9C0D71769B5072ADF8D34F4571FC9F1A3251EB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:27.941{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17638B3CFAA17D845C3BEB350BCF5E1E,SHA256=CEE58732A344A65E971BBA73CB403DF508973970F0999ED7F41F31EAF2722F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:28.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2FE4836DBBF8FC566CD8A7638C6B78,SHA256=08F94D025C994FBFAEBE5EC69D2A2F57A444687868C1F1B9EECD6DA715EB9976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:28.942{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850E7F1707677369DAAEACFD677D9FA2,SHA256=DF7310CC5DC4573DFB9D7DB776EE5712B5A32BB1B2D50BA16EF3ABE79A062355,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:26.211{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:29.934{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB897C03042B9AEF5B638F1CB021B9B,SHA256=DB69CA2C06B979E00955C1EF2AC74061AC1A760D89F9AB6DD6100BEAC7CDC92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.957{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98FC5DFFD823201623D1DE71151AD72,SHA256=4006E6DC4DB922F00FA362058943679445FE71DE0F8751C5233AC699E5C54F90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:27.761{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000274825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.051{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.051{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.051{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4E04-00000000F201}2324C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.036{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.036{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.036{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:29.036{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6CCF-6127-4F04-00000000F201}4860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:30.996{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B83428A39CB651C8DAC2652804AB552,SHA256=8ABC1C0AF527D0C2C0E23B5ECD0C316B44DD6B2EA7B781D1A06BF2A693A81397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:30.988{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED289AFCEE4C7F8C42B92EE1EF5821C2,SHA256=54B726DF18C257D4339615C728C71041DE41D53EAD8FD35D57A702B33FFBF326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:31.997{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ABC996C9EC729B9614F7C457A6303D,SHA256=5A1EA91343885C93C94A23B339A2271896503C9AA3F50683ED24F05D5988B08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:32.035{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9C473E7DBE59CAF5A06FF61C9C4EDE,SHA256=516B6F9D9BAE69AC8D6D629D2EFE49CDF07D76CE6341C26A2BCC247205B28E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:33.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2147C6CFA99D7DD5F3D22286B26DE6,SHA256=55A924BCB0D2A04A870C543A35337D35696B35424877141D8B9F41342E2657A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:33.066{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CBB65F7577787CF7FF3BF362CEB511,SHA256=3C3BF83ED844D925E86ACE174790B764072922B2EEF0EBF81DFEB5409DBEF307,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:32.179{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:34.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EF54FCD4EC3C4B91411E66CC5B2BE5,SHA256=3C4FD3840B08E98203157266BF70906AF7944D151E19A645090A343B8D742A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:32.776{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:34.082{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FAA71A69D8BBBD4D6824EF7C146328,SHA256=49E96DB503F5DA27EAA5B3EFFAB395B11D7A07194CDBED12E72BECCCAD564A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:35.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C79C605F171E7D84F6F9E48DF4A12D6,SHA256=C8D400AAEE6D0C48E84032646094BB8D98CFD7DF354EC160E90E4CB752A85CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:35.098{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B67DEC0DAB0406F1345D8CA112914,SHA256=FD04B1092AD2258B12475C3D04F1376FACAF9F52829F7B77835131046A8936E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:36.129{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D058D562F597A3A647D428EAB138C412,SHA256=13B6F72B7181317A11072F424E613F2F8E1A3DB146F18AF4178292EFA9AC5620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:36.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2A9C92D3BA249AC36C127F05B9D5EE,SHA256=9DD351F95A558CD769602C181C7E46DBA4D4F29B0336E53C7E169DAFCA82DD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:37.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D128464ABF8D03744B733CF9117F4DD9,SHA256=A74B5DD8B6A87DD63F4EDA6FE4CA8D5B5A007348468D75CEBB65F2F0EBA5DCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:37.129{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B41C2244A37B58592DF231003CAF16,SHA256=3560F6A0DCA6D80DD1FB67E43E4D916FD70239D49C05FE384E314200B538B3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:38.106{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752A73F5DF24E7140943600668CD5DAA,SHA256=2DC8B3E85B91814043ED075F8788A3F1043F7CB4FF5D763CF77698F0736CFE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:38.160{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E283411C3C9212C1F85E16FA451DA8FD,SHA256=3856EDFDF9725EC0F5E1DA6E0020DCF9033041B80EE3864E9045C7EBA0B5353A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:37.242{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:39.137{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D168CF355828E65C13389A2479273BAF,SHA256=88E9536EEF9D6C268BF6E2C0C926DCF5C9BCCAC43CFAEFC88B67197273598388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:39.176{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6014AEBD61B0C4A802A7C415516E205D,SHA256=2F9148B54A710521F9B6DF329C002E00943196F3789D1FA93782DB69303361A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:38.729{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:40.191{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E299DED95A5ACADE3E98C41A379ED6,SHA256=9AA147D1DE67D5EA34C38C26A76E4D56CD5C756A25BE1549F4EDB69423517DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:40.168{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B4256353F8E7B54A0A2138944DA19D,SHA256=DE51AD3EFFD2058FCCE5DDBE730C10E825CF498FA736A1AF7DEA10C06E35B553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:41.184{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684855E11CBAB8C0A825221EB855AE9D,SHA256=4E1C07ED83D0FBCACE2D91ADF4560F2E15FFBB2AEEA23DF7113C7BE7F70B9EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:41.207{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCEF7A6428CFA64F50AE993C769650F,SHA256=82F1A8E9E4E8633526D49309026798A3EC05C7467EDC68BD0FCE1613C92B037B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:42.215{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB86D16BCA66F862535D5028673A3986,SHA256=047F102551F24B9D9025840F45EC611AFA2CFEE712BDB64C0BB489BBCA4E8777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.519{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.519{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.519{80A11F3A-4F83-6127-8F00-00000000F201}45924740C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.519{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.519{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.457{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.457{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.457{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.441{80A11F3A-4F83-6127-8F00-00000000F201}45924736C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.441{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.441{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.441{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.441{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.426{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.426{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.410{80A11F3A-6D52-6127-6C04-00000000F201}18801864C:\Windows\system32\conhost.exe{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.394{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D52-6127-6C04-00000000F201}1880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.379{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000274842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.380{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000274841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:42.207{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0233E69C426D99BFF6C74BE267186B,SHA256=B4C1C75589865A66E26267E8545141C3DC315C362EC6D27DC43F0732681EE9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:43.465{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2BD99374DDED61A6DAD2EA7BFD7287BA,SHA256=C10223FB4C4A405D9B58092EA8C2B846AD8EDEBFD9E5B7C75330B8CD7C114123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:43.231{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122A72545067A360CB1E82608DB5CDE0,SHA256=2ECF24148710F6112C1C51E87DB355CDFEE18CA3E7525CE85CBE62EFB84ACE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:43.410{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE5350915A26DF541473E4B0E7040C4,SHA256=F12E886F0177438BB157647F6434BBA84ED8BFD417365152EB53FF88E90FC81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:43.410{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=406120A16BE4346583738ECBC7380C5E,SHA256=C54674E40969D72E4F5AF2656C0C9F941C522248FC9D92905439601F9953C03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:43.222{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A7337736084BDD08CCDDB1B796E008,SHA256=36349597F14EA1CAE44A9AC88990E3D8AC3F953263F80D56DA4437ED5CABDC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:44.246{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604692F410C6E83A7F8173A9ADBE91EF,SHA256=BD1EFE58EF1DFB5B71DCB5DBBD05C6DCB930B8C8209E76FFA497E01F5196EA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:44.222{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FF3B407CF5950F06A9C950FDCDF452,SHA256=0DB177E98491E5CD14338D0974DF0EC88E4891FC47C90FEAF5344E2B937E8DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:45.278{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC59D24E136FED3DB3DF33B54739DE5,SHA256=48333D1B6E929AF099AF38F6FFE11FCE27B57C9662598114B10B7526473CCB5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:43.761{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:45.238{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3780CBF6F0DBBFA5BDE539CC91DBF7D,SHA256=073DC97B2B6837F31F5E0B3982400750AB83A6BE0723E85AC74DA219C69C202B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:45.238{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8D586C82A3747B0D81012E96A47B5317,SHA256=0A4EF110DF7E35294B1BC019C39B7859DD641F887473F09853C163BC7966993B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:46.309{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7956A4E830E0076764E7E03C24706154,SHA256=2F0A661D1D094377F742421197D4F142EBE350D94830FB4A787DC30E61893CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:46.301{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBEC8E85416192F565693D46CD8EDBA,SHA256=DA5FEC58F72BE369A1AFA7490102C0B8C90DA9FA7D3EC229C1D66283A0E3C6B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:43.179{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:47.309{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D82CACB03D866084032DA46BB98B403,SHA256=03F680B1AA2FF5931F9265D891C1094AB0F0172F32E3DC893D9A2049FEF62E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.347{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.332{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.316{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.316{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.301{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEF238F9AF70CDFE79AA62CB3BAA3EA,SHA256=10E5F27E21C2311B2F860C585EA8222E8C1F493A11870F33D58820F81151DB15,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000274886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:30:47.238{80A11F3A-6D57-6127-6D04-00000000F201}2764\PSHost.132744474470568260.2764.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.176{80A11F3A-6D57-6127-6D04-00000000F201}2764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d2hzso2r.mc2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.160{80A11F3A-6D57-6127-6D04-00000000F201}2764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yf4gqhjb.er2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.144{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yf4gqhjb.er2.ps12021-08-26 10:30:47.144 10341000x8000000000000000274882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.114{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-6D52-6127-6C04-00000000F201}18801864C:\Windows\system32\conhost.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000274875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.051{80A11F3A-6D52-6127-6B04-00000000F201}1572964C:\Windows\system32\cmd.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000274874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:47.056{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-6D52-6127-6B04-00000000F201}1572C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000233517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:48.373{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA3181687C0FCD391E968F39119DC1D,SHA256=8026A76FE1646E58274AEFD6D56F024C1BE4F50C4FA95BA930A76447BAE1B2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:48.316{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B57C7668500BA8B271E748444D46B77,SHA256=B727493D4071ED950289B435D85E410E46D368C89F9A4BA860C19B911BD30221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:48.129{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB9552C44B1EBED2A21FD5C18C0B0BC3,SHA256=29ACA42882C69A4D0D8274714F1218CFF70E2643A8DCE8A9ADCBFCB53201D618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:48.066{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE5350915A26DF541473E4B0E7040C4,SHA256=F12E886F0177438BB157647F6434BBA84ED8BFD417365152EB53FF88E90FC81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:49.418{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A87655F88EF040490B405DB48FA8D1,SHA256=78A94A49F60E6076284A0E37E423084821C2A42CC18431607666BBA1499B1E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:49.769{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:49.347{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937127C246CB7C61AB3F893D2B6CAA3C,SHA256=D92A05C4BE3F79AE3BAE38ECD1178E9AFDCA378DE459F963992E04E7E2F7E91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:50.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CDD06D438380C984218CB55DE2D3F0,SHA256=AE609EF4F750C116011965104E002C61B499BF9F3C55900EAD5F98E44F8BAD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:50.363{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F63E74219C803F03D0E73CD9EEDAFEF,SHA256=D92A350908C711DB421C1A2F9558F3C5F172F78EDB50E8D756870E776080EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:51.496{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEAA5D20AE2C65BFCBC3B5B6B79F437,SHA256=E41C8C6BD02739A0D6240F93CBD122BABB835883290E5DA0AB09AAF77D73B186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.364{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CCE07803EEC75009E21167DAA37484,SHA256=01CE7B1CB04915B1E95094827A1DF3E6400938AC3742420F5CFA70241E7FA90A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:48.211{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000274899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:48.792{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.035{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=373F03A79FFDB8238564AF1098EC68C3,SHA256=B0303F1FB9F2C83D72270F0230C99C4611F117EC16EFFAEF7FC68F9D0B145C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:52.543{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEB0B651773662FF6F51ECAD46D91FC,SHA256=E5CF6DC695E2CE04B5266E0915C0F73B2CA6ED1AD6CB34310CC1880A85DBC9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.394{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47083CB73A1FB608B4062E5BB5BFC061,SHA256=307491ECD74DBCBE49D53E8D2DFA83DE4A73764978C8284A17D35D583CEF4E54,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.113{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x8000000000000000274901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:49.325{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000233523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:53.575{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31409C5C928BBE0D149E0BCAD23E5F73,SHA256=3511CCF075BDC5FD5CA11FA455FEF12010C38CEA164186D512B4DA8381797157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:53.457{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5287FA3E7549EAFBE63277781D4A53,SHA256=F8735DF2996AD004DFB9C8FF1C1D7C371145515E438DD27036A5B1F3AC6E4104,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.989{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64092-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.989{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64092-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.809{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64091-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.809{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64091-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000274906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:53.160{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97BE9344B8E7C8C2EEB651B7B0F73265,SHA256=073A9461314DF7556F84859D9273AF2E5B462B01FBAEDC4805E4193B0C663A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.682{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64090-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.682{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64090-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000274917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:54.472{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B924E2FA07FBC3F36880FFC57BEAE85,SHA256=CBAB0E7FE362589464C30599241FE716F7497356182E4CD0EA7D598D72398877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.590{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7FAADB732A6FAEA276C6BA7EE84FE2,SHA256=6F51E6804E97045E3E2C6C8EAAC85DF8B3DA74E76B53610C2442ED4C4B63BA5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D5E-6127-1A04-00000000F301}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6D5E-6127-1A04-00000000F301}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.496{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D5E-6127-1A04-00000000F301}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.497{D371C250-6D5E-6127-1A04-00000000F301}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.121{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64094-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.121{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64094-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.092{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64093-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000274913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:52.092{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64093-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 22542200x8000000000000000274912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:51.681{80A11F3A-6D57-6127-6D04-00000000F201}2764win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:55.519{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E308B450ACBB2BB4ED13B6FCFB797C8F,SHA256=0D6BF3CEF734AA3FD8004B99B99049E9610197B4F1DD14D672E3CF8FA8294388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.809{D371C250-6D5F-6127-1C04-00000000F301}30362512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D5F-6127-1C04-00000000F301}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D5F-6127-1C04-00000000F301}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.637{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D5F-6127-1C04-00000000F301}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.639{D371C250-6D5F-6127-1C04-00000000F301}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F277D5B35905720828042A326A4E246E,SHA256=0F882D1145EE2AFF90CD0091181F60E49D0291D8686AF1B9A1F29B0CE24D536A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1210113F622A2A5417BA9C24139A536A,SHA256=669A54A398BD458AC3C21D65F00D94FFA9FD4F7E697B863E864CF9242E2B85C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1990666194AFB62F89F2528BF5B1013,SHA256=5C43582112416AB1FFE222B2A379D51A4CF682DDDA056F5B534DF7CA71F09407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D5F-6127-1B04-00000000F301}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D5F-6127-1B04-00000000F301}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.012{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D5F-6127-1B04-00000000F301}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.014{D371C250-6D5F-6127-1B04-00000000F301}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:56.656{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C093BDD7FBE62122147BC9C73EC7CF,SHA256=1049F28B177056CDB19B7BEB3A31176C4A5DE8F3FF09EA9A1B185EA8A696947E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:56.656{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:56.942{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F63948123A397492E92A79850F53E2DD,SHA256=9217D19E709316BB4F3DD8B587884D38B4510EE40CCC08765A4FF2984B97FFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:56.519{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE352EF6790D189F6102E8FB0B26D074,SHA256=CE4396FC2956F92C1926167784BD51152E7B5A09ECD121FBD94F449D59E3F95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:54.636{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:56.640{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1210113F622A2A5417BA9C24139A536A,SHA256=669A54A398BD458AC3C21D65F00D94FFA9FD4F7E697B863E864CF9242E2B85C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.910{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C4EB1E29C784574EC4A6C3AE09E8B97,SHA256=CC9FD6CAD81E4E7F8859B4EBCA286DB3911C81594D330BAAF2873AB12E87F453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.863{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.863{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000274925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.832{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88E77DA594EFEAD8A5ABF7DE38B83523,SHA256=E3BA3680C6E3B53FF35005CAEB32713C4849F2F45168977FB562F72457631FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.722{80A11F3A-6D57-6127-6D04-00000000F201}2764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.566{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFC734AD8EAE47CF30D8F01B4341CFB,SHA256=BE86E1416796181528E8970E46BA938DA0677271E6C37C546090E88EF57370DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:57.697{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86556BDACC6B4656C2A390F3A2C17B12,SHA256=6B9A5E4658D315433C6B57CEDD7609E994CCAFADE4FB60D9B6A93707D6DED7DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:54.213{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:57.142{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-125MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.035{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=126E924A495F33CE190767C4BA5C767B,SHA256=ECE200F468EB18415D6EEE3357C7952E3AC781543F62B4ADEEA8D124E5B620A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F7805433CF80000999555180A46C33,SHA256=1D2B22E5619134CE95B2090EBFDA2B3699CACDF5C8D36E6904E49E807174E76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.242{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64096-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000274930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.242{80A11F3A-6D57-6127-6D04-00000000F201}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64096-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000274929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:58.597{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25B719EB0C6265081932551CB30BEC6,SHA256=F2ACBA638895687F88F9F6F796642E3BA956742FB1A810D49056A8FF78D7E4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:55.617{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000233588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.429{D371C250-6D62-6127-1D04-00000000F301}18683260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D62-6127-1D04-00000000F301}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6D62-6127-1D04-00000000F301}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D62-6127-1D04-00000000F301}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.210{D371C250-6D62-6127-1D04-00000000F301}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:58.150{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D63-6127-1F04-00000000F301}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6D63-6127-1F04-00000000F301}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.837{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D63-6127-1F04-00000000F301}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.838{D371C250-6D63-6127-1F04-00000000F301}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CDA72C073BC0B2DBB0239ACDC81447,SHA256=807E5308FC1B27B82E30F42C8CD9CB6E19D7CC4DBA67BE7DA9F4E2B7A87600A1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000274937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.242{80A11F3A-6D57-6127-6D04-00000000F201}2764_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000274936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.241{80A11F3A-6D57-6127-6D04-00000000F201}2764_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000274935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:59.597{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D290F469EA5E259B8D5198C00BC88A,SHA256=F9705F57E89294EE3C86EAB0AB333E0915EDE630154F7CD5A770FE96DC28B6C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.603{D371C250-6D63-6127-1E04-00000000F301}34683476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D63-6127-1E04-00000000F301}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6D63-6127-1E04-00000000F301}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.337{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D63-6127-1E04-00000000F301}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.338{D371C250-6D63-6127-1E04-00000000F301}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000233591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:30:59.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B946C773F6649578B3E897FB81C83810,SHA256=1BEE662211F9166D8D57C9490EB5D26C1714D1FE6EC87F38603CD666915C0AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.438{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64097-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000274933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:57.438{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64097-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x8000000000000000274932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:30:59.004{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B8D69F8E6521B7A95BEDB7BA208A52E,SHA256=817D1D3311FAAEB92B0567E9A9F3D2A36BA8A62B71CD655699ECE68811374318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:00.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E1C285FC49FC31F981755B373AF281,SHA256=CA4732DA88AD624AC063225A97BD1AEC06201AAE386908485A20AFA433E15136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:00.629{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126B30EB1E94E6101105C43D69913DBC,SHA256=8A12DA31FC3C116C8BC931B5E354F60243C4E1C0D043A34CE653D0A70298A0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:00.368{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA33EAE3094B1BBC0FAEF611DBDA8D6D,SHA256=5811BF1B115D985B7E70CFC0299E06FEEC8DC52C2DBC4B905F319BF4BF36C997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:00.072{D371C250-6D63-6127-1F04-00000000F301}26443980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000233623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:01.790{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F216C8592ACD571FED301FC627B396C0,SHA256=6B7B7A0B249CA8477A88BA366B27AE4CA71EF81C05A8C509CBC3411B4011E872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:01.644{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4147718521EFFAF2B7744E2A75A3076D,SHA256=604CA0C43FEC03EA73B314877303A532659E246490D2C2BA1D905D5A03AAF83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.790{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D13E7E522CF559E1CFBC448794A7E0,SHA256=1F9E2DA9F534DC8DE92AD1FAE9720FAEDCB2E4D0378644E2960D3A45C24DE5A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:00.683{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000274940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:02.691{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50579992274AED5EE4BC83EE36BC4EDE,SHA256=6F5FFF84B39B8BB1F05C807512F87CC07D3607B82DFBB570F9C3AD08AE5F54B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000233636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6D66-6127-2004-00000000F301}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6D66-6127-2004-00000000F301}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000233625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.009{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6D66-6127-2004-00000000F301}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000233624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:02.010{D371C250-6D66-6127-2004-00000000F301}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:03.691{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F244BD93811CB39114835A67ECBE0384,SHA256=D689B7D2AB075CDF4BE8C67503D28C95B778C80E8EA9570F6C6EBE9BF1A4C306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:03.837{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AF6C6150846AD3A2ACB254F0D55F37,SHA256=2720C1640372EA816375AA40BC3DCCA84BFE8F91678380D351A29C8B882DC484,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:00.223{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000233638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:03.024{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A89ADCC864100220AA0497630623AB0,SHA256=0F6466528C8241B0F3304D486BBE8F27EA38E906E8DA13AD7AA6440130C6A6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:04.853{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6195AC010CA215D823927B1BF691A52B,SHA256=748C084433B34ADA3F693AD6A7943F4EE6033308E5A78DA041E42D5A6C0C5EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:04.925{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576092C7C53607A83DDEDEAFD3740BB5,SHA256=4DDE40D1BD423F3F175B6F37EC3D4C6349DEC3853E6C8C4C62990D5C62D04965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:05.899{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ECF685F75C6EB7E129D6B2D790EA69,SHA256=1A55D4BF8CD3BE77615E47B8A5A108F17385D9802011025FBD016AE02AB6F823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:05.957{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9227E22CA46D9B0530ACF2B5B0F4E12,SHA256=CD3783A9A8A0377B88336423947EF8919848CD6D02B9EF4DA981D3F7BBCCDAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:06.957{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EEDAFD5F5379F8B82F650C1F2D3A48,SHA256=F7431D291B1514734DFE0472706375C7A5D91D77A342F4F64CDDF13EE609406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:06.915{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98547C1E5182EAA51972CA387D579A8D,SHA256=F4D7DB0FFAE1C34A6044EE636B1FC74997137FEDF524CD41EFF0955BE1044A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:07.931{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CF84F48A0FB10E22E2BC8F205F0E95,SHA256=4B1DCE758FBB8316B31CB4E7142BDB8C745E0212C02C3FB792B4CA252FC6A133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:08.035{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C519043137392734101DF2EF469229A,SHA256=C06A8F342CD70F1AF07F63E93651F859E1D6792F7B38A1EE2000318A88E0180C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000233645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:31:06.099{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000274947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:31:06.636{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local64099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-