23542300x8000000000000000271636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:09.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1ADC1A1D7B9F5087FAE86378DD5FE,SHA256=4063839590A07E0714911A4AC67ABF343F87A9214D7AEEE0EBB027C798E05A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:09.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524F4B79C70D66F99BF16CEC4FEAD244,SHA256=80C4A198F4ADBCD1D8D367DE3D5CA79D37AB18769401F4906FA64044214226EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:06.600{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:10.750{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDF7663B6692F5E580F1CFC969DF42,SHA256=CFD3F9186713F231901062093FC579B2B4A2FE0D75D02EFCE1E56E34316A5193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:10.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0034DE7FED972519A2800FE8ECE469,SHA256=B89C2864E97EC2B40B369768D50C0AFE72B7F655E3D15AD50F5658B7AF8797D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.766{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19595C222BAE9134B65B2CFC287F4AC0,SHA256=686D42B0F27A32C900B17E2271378E1D26CA90997BD5C24046E61AD793D0EA59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:08.215{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:11.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EC97337E6E8DDDF67EA750E9AA7E04,SHA256=B090BBEE0E9836D526485C1966CC9A23613D3CBE210A1CC4F48191B8BCDD279B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.781{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC05470DF67EFA3932655C073CA0A703,SHA256=86965AAA8EA50C22B9B530DF44978DDE6CCF1819DA2A2E4DBC156776C8F8EE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:12.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8784FD9C9FE20F524F8207DFD01B51DF,SHA256=2F6C1473532AD7D7888ED3AF9B744B72DCEFE581B7865347967A608B2F311330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.048{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.797{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE8F1196AB48A6793B693771C58ADC6,SHA256=CC2060F1A2EC1F0B8496D7BE76D5897483770AEA49CB0F29DF90219BDCDD6BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:13.091{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F25B2DAACC123A1D19B6D3480175E0D,SHA256=767C95D919CEA0EF7AE575CEFF9BE8C82F29B601FC3D56259478223E17F0B121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.766{80A11F3A-69ED-6127-ED03-00000000F201}46362472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.564{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EE01EBDB892D57CB574C7C619CE445,SHA256=071AA66760447A48BAA94BDB4C9A54E57E1410D60C60FBB69DD13E3EFEEB2952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.064{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B1C92B428AEE945991DCF18953C22,SHA256=DF39D830E7F0E3C73EAE7899E1C2A735C1D7592A9F2D9D9401717B3EE41D5D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40DD543A352482673196830FFAD64AD,SHA256=A33605625ADCF13E0CA86F9B355B59CF0BC0A5B1CEB2B5288654DD305E6A68CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.054{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.053{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000271671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:15.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0253B633F6CA2F203D6F4C777FBFDFC9,SHA256=F907072CB138854ECA19BFDBB6E8D906A9E5733B3F485DBA81A2735EAADF88CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:15.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3809FEA2FC63DCF746AB22D7240CEDCE,SHA256=0B2E6E253E3215A90E93E12F67BC37F9D8412C304A4CCCC785BA4D1829E84D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CD9D3001A006ADDEAFA5E30C0F6367,SHA256=BFBA4937F5D6D48F68BECAA0DCBE8580A5684A501DE054E62222E9F76A4CAED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:16.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8919B793BB0A8B4DE9CB30C2BD35DDC2,SHA256=56CCEE7792A1E0100A72D148574008E5B40A19087492415F51DC84D3307A5C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.798{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331A0BC3B9F0C759B3E98ADA9B1EB3BB,SHA256=758FC2895A8EC27598F317600E1CBDAED2F5B3D9D0832DC91DCBF4D627596F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.059{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:17.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A508852F9B6542B5DAAFBA1A1CD70AF,SHA256=575F9284A7A5EFA51A926FCB3E0617490807810206FC17D59562C538A10E4BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F59B2B300546EB7648553A083B9E8A,SHA256=23FF54AFE720B5A1DA6FD800C53B052CB99F56EFA2F78FE72972F4DB17A44BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.798{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.531{80A11F3A-69F1-6127-EF03-00000000F201}32601000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.298{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.063{80A11F3A-69F0-6127-EE03-00000000F201}38045076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579FCCFF4AAC912FC7BE6771BCEC3248,SHA256=65A89773A5BE58E9E6F3E790C86E4AD5389BAB4861D28018BD6C098451635AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:18.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44257D1185245AF826FB7D7E16DD808D,SHA256=7CE1DFA7A900EBB0F3D5E5441CEC853481C23A369B5DB8F272C762574A78C426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.063{80A11F3A-69F1-6127-F003-00000000F201}20965096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8DF1C9BC6117F3E5C4DBC21B525BD5,SHA256=C16F9AB1707C4BC19C80A451E62E24C770C177DEE435F096F5949FC3041092BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D174DA8261F91D297AAD7FFD0734611,SHA256=2BEE2DE4C953BF382DD8E429F296D0F2EEBB4BE7B744BA321A072CCB2D86DD38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.517{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.875{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80E8F566BA7B8912C6B4E4F3EB0A2A7,SHA256=74448CD5AB1C241E7263CE9E381E69C84BB75C8B0EEB00153E09DEAD7015496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:20.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694901F67A8D9AD33619570D8B12BACF,SHA256=A967468535A76EC00157D34FD94FB08C7D2E9EACF03D4DD73F4EDA909A2815B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.578{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1A0E8BA6E2B7F3321BFCA710A6D814E,SHA256=C3FC856D4F88C37D452D0DABB76DE64E3FF6C4A424F1196394D83932AA5940FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:21.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F2EC5F1A5E4C0CB10B4978EF8A039D,SHA256=E4EF4892B655FD00BF34C13FA10FDFC6CD19EF0CA576392DEBFA4EABD0BD6617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.090{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:21.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018602F0EB43FD14DF44FBD8981961B8,SHA256=9FC5DA7F831A4300274CD2B419937431D09BB0DAF2592A2BF47D71C625D75D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:22.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AED429947949D48DC626D46DF9474E,SHA256=E2FF7DD04EC83EF6B4474CF096AA39DCBDCE4E6EB807FC0FC293789779D85B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:22.247{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0C1DDE66C794630160365D3749F0B7,SHA256=2F8C73965B698CD21C5D4568EC0A64B90BE15E012FE784DB97B2B9977F02F131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D46CAA111B1DBEB5466DA88641AEC0C,SHA256=C5E4495C433D3514638F993B894B0529769E3FEE1379DE41ADB1928D2CC73083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:23.262{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0552779145A4F37B85C114E7347C0A06,SHA256=562E8A718B0EA8D33E8F97A7FF5ACA8F9E72582BECA8EF40CFB5D9A34784EC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:24.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DEFA84A022AEBCF0496432A3813B9F,SHA256=066DE017DA710445D6AE2D0D95C6542BE1CF3A34DE135CC62A72453B6E8EBAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.356{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958F97B06620A3E105789CE9086F0CB1,SHA256=7AF8AC97A0CC45F7569C5D6A949A0B8C76C71D8E592A36C6636494E8DD33B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:25.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3A08A829B42DC874134FBE899E90A5,SHA256=2EA4A555F2B11C2A66880A316BAB98267A9C6158B3E1FF7473E897C5BCB927AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:25.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44DCFC1CF76F3F8DE000CD88EC9D86,SHA256=9D7520B825F65A3A970575500BE61DEF9AFA70311AD8956C2229D3625FC301CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:26.953{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83D1849C3BA1D8E500D8306A40E1B30,SHA256=70734C293A6D64D4A09888FD3E1D0C20AF6164B1F14262ED088EA8C9CAB5DB51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.107{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:26.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBE46E79E5F097DCF910FE4A58F6A41,SHA256=C43F331E89D1F1037268B7ADA1875D1E2F62AD34A779C26F86F23980CF8431EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.819{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:27.969{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74FE06F60E36214C7AEC1F4E0EADF76,SHA256=6CC7431E7EC319D14E445FC2367F1C0A1CE4FF5CE584254B325211978C968452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:27.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196BBA9AAB1E00F37868B6F11D8953CD,SHA256=D8F257180B513290D306C25067DE06EACEC0C550CE6251069F27E42FF4499FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:28.984{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C795C71C58EB121C873420AEACEE392B,SHA256=D58324E237C7262FBEB56DFBB233A1B0C84B13C725DD1071E30A3328FF1FB759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:28.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB13E5D7FDF870337D3CAB5953BA9EF,SHA256=90B1F08C9C1CAFC72D22814EA86A357ABC3D779D4D43EB2E894C2867018D54DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5878D9B88DC8DA951E5EE668FAA7C,SHA256=413F13690FDD6B442A02B1EE943393C5124376F2A5D3B84A5ADC97E080C993B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:30.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB06C9592174041CF6510CECA6DA89E,SHA256=B844E26C40333CF62A8218E49EAF59DFD4FC343876C220C72E803B456E1D02B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:30.000{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192CB51541F4A97049B887553A42E8C2,SHA256=E70A121BE9DCAE3C4348FD4DC41202A938C4D911A06BC78B08EE210EA2E4844D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.153{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:31.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBE99805D8D8F66CA8A43842FE36123,SHA256=F3ED489300808EFBCA0CB1F76FF44363A33CB5C37A4FDDD10743E52CF4D13B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:29.569{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:31.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A521496A986195DE03C80A7AF9C838,SHA256=C1799D88173193C80E7D095183D7054001180A25F9E8A427E4DF96E0E2D3F91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:32.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F034CA97FED58E7894EE4E083CFAE7,SHA256=4810C260E5FE53A3905FF974BA2489B95E43855DCE579297455730678D6A61BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:32.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485898EFA44FA81E12189C85E62F521D,SHA256=04D18C233B3F85EFAE78C5359D559A892D4EDE151A24F10715D1A755023E2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:33.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B492ABE0CE0E5D53787335198DDD3275,SHA256=E0029AE6E0E5A4855202474CDA14BE1BF0F14B9D1BB7CA51FEB525D7A6EB7A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:33.032{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31D0FE0269A7B35B1CDC672A7116E86,SHA256=145B09BFEE06206715F2499F5E210507CFD03BCE779EDF220A0594CCB5C74370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:34.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C2C0B9CEC22A249E579F3F0B2AAA24,SHA256=299601E9D51746DDADA04DDF390F3DE0D211869F4736FFBD28E1F3DBDD2277BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.047{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61408FB23820B10286BDAE9B4A1DED45,SHA256=029ED69D7E2B0E33DD88E7B6F9047ADE1E802FA3B0F8AC94BA4A123B006AF0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.750{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-111MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704EDC7CF31AF58906D09124783BE2CA,SHA256=A8846D265CBCB3A35EC6F0D614B74DCD54747F48B1E2DFBA23ECA268128C89B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:35.063{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0708C22474104C6BAB28919A39A2252,SHA256=64BA7EE16BBAD883BD00D95F74DD5DDC78E047B932F3332F830404092393430F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.749{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CA7E2E0B6AD0CD48FA6DE2E4F7259B,SHA256=259A315F30DB7A9AB592922CE1F9F039BFD8EBC4B6404FDB7786D1C7163265EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:36.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F5FBBA45805F5C663D36B30D7D6121,SHA256=624D6D7D149034507DD1FA7242B04A585663C992E53CCC229A96AA46DE74CDE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.123{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:37.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DDF03C3B4A783BC696BD38F1A7CC2E,SHA256=E61012A5D6A588757C747C49AAB3826827704DF8DABCF97E95173D30FFE71464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.725{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:37.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA54183EFC6C64D762ECF2D57A0EE1D,SHA256=632DECCF04A90F5D7AC9D5228DE67D4E75E69B2CDC5D817BB7A0FCFB584D720D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:38.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6E92A09132C5CAF6773C5E8A004037,SHA256=3C22AB9AB4B92212F3ECAB7B5AB6AF29FC336330402D33882ECB7E1B34372E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:38.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12925719806EC015512AAED4E1DAAB1F,SHA256=E52D44CD0E3E63756CB87C6BDD7C3C02EDD7D58D04B784FB563A391A9645BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:39.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E501A832D60E886A53B3E06A84BF09CD,SHA256=EDAB2D925B385739C33833DA3D8B1AFDEF58EB7FF0FB1B25A00FA089B7A408F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.109{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EECB45A549BC098749A621541E5C852,SHA256=313776B5E6D36EDB24B8FE67C22FBE30BFF3E254ABDA96B5777C4D5EE673B1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAA6A473C0D076226D4F8DB64CB41F2,SHA256=C2A0D3C4EE29770AF6188FEA7268B886921773AD8464D7308635C90E59C93B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:40.125{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77BBB92A3E95CFD8B8B6ACBC7F70F3C,SHA256=0EFD29CFD60E1A2DF09EE60018F53EF8103B6C06605D7B35318C1F576EE68669,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:40.094{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x75e29bba) 23542300x8000000000000000230986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:41.669{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24AB0D28A3D412E8F578DA575D667F,SHA256=B63A2023AA35B42DEE40D626B50A647F1E53DF4E748EB618416191411BA7F2B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:41.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4F07CBF8674A4A2C64769AAFF8D589,SHA256=E91B10132F9351096A0D44A9A500FA742E2DC3E3FBBF66DE790E0F1A31E395F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.185{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:42.684{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73928ACBA93CF88FE611FE6DAD24C2FA,SHA256=E99DE204B72C9157765771C84C8842B1F3881A9A47310FFA9CD2E5F8397C3E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:42.156{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2A0C58EA293A5B79469CD924569902,SHA256=DA92FF204F428032BFCB4A69E4E81C167A8A6DDAF43D91790DE0944693E5D974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683CC7FCE1464A45145FD8B9DD307EF8,SHA256=E58E203CF5B02B083617327386D43FE4D965A923CCC70F7BE0741232694EF63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:43.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A626DE11EF85DF26BCA52C197D7AF,SHA256=CA660A95D77DB700CBAD176655143D4541CF97FD75C0CB0D213D5278862E4A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.419{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB161ACB1DC396B9FA772F4748C48BC8,SHA256=3E9BA90C006A46C6B041476A6B7AA2B1F31C00E0349DAD37322DFA6A51009D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:44.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60072C865FF7948229FA0DAD1E220B58,SHA256=50336ADEF14CF4B3B71BE1CC3674F46F1AB103B87A61D585A01F812BE74D22FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:44.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E803C9973A97E77EE0FCB753E7795081,SHA256=60F696DB2B9C50EDA716A8BC4503365CA64B298FCEE3EB257BD5AA6EF623E05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.747{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDC28FB24A95F18F2966743B0382AA,SHA256=6F54AC11F919447A99F56EBE3FFA478462C8435858FB85982B9FDBEB8E9B8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.203{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEF138835A4D677905AA789C85F0A2F,SHA256=0FA3383E6EFD950F57CC84E6ED4F6E041532DFA85D2BC2425E0178C71BB6CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.141{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEE9E1769CBF61135D0EEFACC81ABE67,SHA256=6CD13F986E620787370CE11057C5AA645EDD22BC1749F23E73CAA86A5FFB0D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:46.796{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D2AE0FE2FE2050C94E571A8E263FC,SHA256=FA4C80652232F0D4A21ED3E52A825B17F61F3D8E3546A1C350D618FDB3489623,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 13241300x8000000000000000271752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 23542300x8000000000000000271747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:46.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41727434564186227FC72D62805FD41,SHA256=75FEA50661E8FE82ACE8072EDE532BED7B35745A0D87455FEC68AE9EC35903D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:47.811{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD93BC88F320CA13CBC70D85C8435F,SHA256=F1DC14AD74810B2BCD0ADBCD7F511B4F1CB0E48442E5D05B729033BEEF0A85AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.631{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:47.250{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D216E81B8394206AF1BED9890F12D90,SHA256=71E6667F83B2E6DDA5ABC6FBD0FF0AC613B06A50A24701CC1333CD8849C72FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:48.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C952622744F316EEA0BDB457BAD9F,SHA256=76823E40FEF559DE87F6EC6B1C16DC3BF6C1CCC97AA102ECE4C870EE81C1D24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:48.266{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3843E074E7438EEC4AA98E6CDF59179,SHA256=DC238590EC9F1E94897C1E699538736D91116BE3EC507D2745A89B366D9C6081,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.216{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:49.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C7BC0B46A69F318B4E4FBD565D7C7,SHA256=DE3A6627DA55655CFA2DD683BB9D7AC15E1B94068ADF3C43282AC21E92A63651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.500{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.281{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9F007C72F319D75718732C6BC79FCB,SHA256=8796A56AEA0DD1F85221E51F8FA2AC2D42A10C5A8466445D706F4D977E0B2892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:50.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80099D162311ADDB2FDDEC061C21952A,SHA256=226E2C452DCEA473F101FA413FFE98936ED9D61E670B9F92476BE846E645F411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.053{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000271763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6F9DCC05AB8D9457D88E04D09A2750,SHA256=CC65D4DB76C8262A57907BBFEDBB581F3675F255DA2F57A40541768AF5D41F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2969983A210C8E5E006ADDEE3AEC83E8,SHA256=D11385A8545C2C821ACDDE51F2018616815C0B6516C9E367085B914D7C3BE802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:51.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77365C85535FE251D4B41FC84BC09C2B,SHA256=242FF12431E4C93E375D96524CFFBFA9AF27FF123DB6944C7CD081EFEF91DCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:52.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E6F99AF1E555864D21190D5F0B766,SHA256=60C07726202A8FB6423CB9DDE6C7FD0D4253730F2D8171689CB1C9A5915EEF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.912{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-111MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.344{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F87180B4750A46E13CDFF58F888CC69,SHA256=C966C614BE7FFD94CD853E2A73BCF2B8C6DF57815D580FE2DEE868E0D526A8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:53.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5B7B11E4D842B0BC03455DDFCE1C05,SHA256=513A125B5D1675E732801FD3AE889C2C7ED958CD520C2092E8C49330B7870542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DADAF3B356742E7845BD6D4D203C1DA5,SHA256=92E747718403BAAC3EF952FE4AB7E49BEFFE8ACDDC8C725D3BAB3FB15E576EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.913{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.815{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.690{80A11F3A-4F17-6127-1300-00000000F201}9881388C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.347{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3170BB99B3B23465103EB54434552,SHA256=A6BA0D435C6B1400398D568A159C3A7254605D90AC0B1189209410198BED9E22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF523D2C711A61B6C98C9241E354109E,SHA256=E8EFDB8049DC189A3D1A4E0856C8EDD36D66100108308D469ABF84108ADFA657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.699{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.352{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A956985B01FF43ED57FAB003483FE,SHA256=71A06CD92BD617B5058E34184CD39FAE282DB03BB012A90FA9B6F083A514D598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.985{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F874CE492B314893F4A56D3845EA5453,SHA256=5346B829985E7894F188AE83B9AE25EADD8F1623EDD86A77B27E6B8371693BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06E18EB4210CF192511278F019DD00,SHA256=12569CDB83E2D199E0D1BD75D3181CEC0CFA3DEAE5221FB2C142C0FD8B83C43D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000231016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.000{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.168{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.996{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34A04F93F980626121557F94F6A417A,SHA256=17E307C192A6D0A373332F0C0D23604DE64B396280922E45AE04A3C81C7BE431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.467{D371C250-6A18-6127-BA03-00000000F301}27001532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.374{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.344{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3956BCEC829848DDA4D5C3B88C9E71BD,SHA256=82C9BECB4DF06898A47108D214C81F0D34B4BF0B2BC200B2042DBE9149FCB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9B679A925DA76AB2F79092EF699F68,SHA256=1E82F5D620FB636E97F7117ADBEF4E95E38D7A5C5038C4E2DA65DEC3D35CC06E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:57.371{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890D3A541351444FABB907F2B6323A1,SHA256=D58F83CAD877919060B3C88510A88652424DF941777B0E799BE8C80CAE75ACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.342{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4805048E6976373D0F06D5517C257271,SHA256=9463BCEDD847A31DFF983EBA13F34F50327777FBAD1983F0E38DDEC1B264286A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:58.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD3B27E2973E69D35DE4CCD5FD0D42,SHA256=090D63974B8EC89C084C10E5AB57AA43EAC6F8E249377E0066AE0D902B838E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.717{D371C250-6A1A-6127-BB03-00000000F301}8403340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.327{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000231063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.515{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0A3787E50E97457E9B6A0E55462D5D,SHA256=FD904B78D0A1149342DC0A1722843FCD0539B0724B530FF985E458BA1EBBD3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:59.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4179C61557FCA27557B4AE54D2D17595,SHA256=DEA77763158A80E134BE0BA37759C07967ED188661677D08A04D4B4F029D2405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.827{D371C250-6A1B-6127-BC03-00000000F301}1722408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.657{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49FB646555A5B384AD697D8EA15AB94,SHA256=81710E512D2B85AACCAE66170D9D0E9887353BD69490816855F456C067A3484D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.171{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E450C0DC5FA0C9A4F936BD6A1C1326C,SHA256=14850E18FE0AE7D18CD9194359818501A12637295E8A021C99E9BA23BB4FB718,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000271806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.433{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:00.433 23542300x8000000000000000271805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.402{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1350CC684E97D9B89F4C0C22CCAC735,SHA256=F1C43F950A350B2A838D67EB88DB769423C9011B47DA234A2E887F1B826FBF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27C289047E0365AD7D5D4067E5FDE55,SHA256=91DF3E5BF0CCB3FBBB7A0D693EA13905B5657B638DDCDDB5F5782FDE59EE464C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.530{D371C250-6A1C-6127-BD03-00000000F301}23323660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.281{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A9CD163F4D35115073F7DDB267E0D2,SHA256=9263D7353A7FC59F452B3158E22699839591980BD126B4AA33EA71BBB515C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:01.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C1C1A9673477271DC657141AEB5A6B,SHA256=531A4955E9B65409D4D1C783D3423E54B0FFBEEBC703DF36C05EFFB04810AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:01.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872587B160C62EB2A8FDA0184EC037F3,SHA256=A3CEB902B2273526C5E49AF226EE05EB2694979D7B439F545111A4212500DADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.496{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418658A4B3DEAB166C57A4B86E4BBBC9,SHA256=CFFB696A1AF8A79558ACE7C9AAE6F43EBA1F04D627A5314010C29587A58027A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D20A82DD527A82455002C0A548C954E,SHA256=3EA682DCEAF2F85486FC7619776A94DBBD67ADBD7DD509EDF67193EDB4C7B7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.093{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:03.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E933A63F71B5D25B2270D03EE31B94,SHA256=6A1790AC5EEC0649BA148D74901CA22AF077957D4367AD208F8ED23A1D63AE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A1EAA6FFAF94EE4B783FDC53D1B5F4,SHA256=5C6D1AF00E1BAD72758630AE422980EF582EFD9CCA9125C50EF99E73DE58224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDD4EC31CD60B5C55C2665E19249961,SHA256=2220142B27369A5502DD347AF3076AEEF21F18EF9736E667ECD30395E001A18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:04.559{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019F4178D88B8D771F524BE3AC6260B3,SHA256=D083E6F4E12CF7566CDE3880EC4E2A3B7F85E900F21A0C1C75C0C464002E1B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.031{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:04.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E39189AC2CFCC4460491A893327B51,SHA256=F6DE5B9EE1EAF7647F707F6622ED574ECC5E5D791C895695C7495E3520626966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:05.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A5918DFED48623231A0ABAEA39B167,SHA256=9E2407BEAD772ECA088C2F14926D2772F542C09577BE0AAE0901810D85D4CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:05.202{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B5FD8DABA6EE2D07F234F3C9F69DBF,SHA256=EF6C3FE4D0C620C3341566B3C7FCE793F1FA42CE44EB2131094F1A5E36CEC817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.705{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:06.622{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A945EC0EB3BBEB4817186AB9E9FE67,SHA256=BA768C50124077C247497CD8E12CDAEA73F62548AB82A581A4DEE6F448F3419C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:06.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B68ACAD137F21136450584CAB646AF,SHA256=2DB79A3653294E4F51651177863305D37703FC3A400EA063FDAF10BFFC9C9B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.638{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CC52611E25D205C4F27AA56990BF0,SHA256=864B88A7C7338DB239F7339C7CA54A154017F6BB258A57C6EDF4DB211EC3733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034CB109C0D5850B95AC9A03954A139A,SHA256=F88ED1C334C65B64529B1A952E47213B0CD9FE838F30C9A8911C590DF014ADA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:08.653{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB11D9907877D9BD4C788472F1DCA7A,SHA256=EB021E077FBBA364CC4632BD45C274BC46781AB130B3B35B089FF186DAFED3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:08.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718BA3FA347A8E9954169DB585B2B8F3,SHA256=864C2E25E88F255E9817A5A561EAE8630269AC312EF7822B5A44CDD48A4092A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:09.669{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1006B2929BF949559D5D6DE9ECBA65,SHA256=0999A584BE2EA196EACE67E4B34F32B610BA204FF559032EB8C2BEA14669E0F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:09.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6481D15C078DEE722E5B47EDCF5E75,SHA256=F82B65E48A1B4D359714262A10D290B1B58D0B6E32A708C82C047045D28E5037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:10.684{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F82F28D1FBF3BD33A9E9895E96EF900,SHA256=1D66CBD6714085940E63BB023F23FFC4F2202BCA9896E324DD52D27E52FA5719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:10.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB36EF8A9D1C699493CF773397879612,SHA256=A29FFE950172A4875BAD1C7BAA901B3E4FF790183A986FFE5EC373DB0BE31F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.920{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.716{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AC1C9DBDDD2AE6F89F90AAD9A642EC,SHA256=E01CA929AFE1236BE3251C595F2757AF0352D2B97BE69815D878824224A38270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:11.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB370B1CD48E37E32C635F6FFBAE6BF7,SHA256=206B8BD6F9493980709AF799F518AF20925F129739348368E8EA4B3366C2C37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC0DC81796F0B9366C70282C2FF1AC7,SHA256=F1FEC37E732631F158A4C334A472902AA4FDEDAE615CB0269B16C9B62C04E118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2110291F0D4A31C36F0DF8E393491E,SHA256=CB437E239B6CCCD59779755FC5F02EEAFEA02D300E2C7F16408D13CDCB32F2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA46F94CAB2AAF61FEDF255022D32788,SHA256=8BE6BD5A96694457FF6185FF783CD190C4D3624764FD86A3B05BF2363EF8FEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.950{80A11F3A-6A29-6127-F603-00000000F201}42404344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EFCA1A56492F1A963945FB3FA2BDEB,SHA256=5A6F1FAB52BBDBA3AEA35E12E182FC8A2953B29CCC092B78BB011C40B41C2275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:13.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52AD38C260A2576BA7BED9C384F8A6,SHA256=830289084CFCC0032B91554B84763262304EAE6ABF9BA2CD9FF83BBEDD5B8491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.670{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.046{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E3509959EC6F3C3EF6221A2B820D4,SHA256=0BF88BF911FAA9DB068F6E91DFEF1EA232E6940AE6233E2144B4C782A5A682C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:14.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ACD6C1EB1C44A83B2F7DBCBA24D2DC,SHA256=29E3412ED57143E1864CAC08C099FDE62C4E2D29B71279197358393588DBD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B533185CA3F56C6ECEF414427BE941B5,SHA256=70E61E630C0B77416CB5A753AA602D53554995018B2903798F267D0EB057C59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:15.312{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E7F1AA40BC3E25F98F8A830F61B0CA,SHA256=59685AF623F006D311141DC48AC17E6E1BC555E07C6238F8A66517B5317FA653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84393FC2176D2CC2335E622F4BFCA4EF,SHA256=9106ACCA2371EB411A0317BBAC48223EE358E9C88DC5BE61AA9434AA97D90C50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.769{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000231129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.187{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D35012C7A4A5B6BA5B5C71C6380FDE,SHA256=E4865C2EFFD24A0129BBB993A9251B4F7BD10F88817D6702365A5838FB22FE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:16.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F94489CA3A46B2D108D962FC6F7F23,SHA256=789553328C3F1F8C4EEE9703851CB6D8234B9224734E53B9A95AE443F0EA2C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.810{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000271855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000271906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.935{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:17.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50087766B981777238D895A63A0BA4D,SHA256=FBD2BD43609641E6BC9D8612AB5AD33B4ADCCFB465C61EDB637E167D851DE346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3960D3AE79D824ACB3CBFEB0D48F2D07,SHA256=B664E1986AE43E598CB0BD856AC662499A1F24858B91E67AE985B687F63DB18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.700{80A11F3A-6A2D-6127-F903-00000000F201}47005088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.311{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.247{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.107{80A11F3A-6A2C-6127-F703-00000000F201}11601120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000271865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.974{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\ad2.bat"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000271910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A918782CFFBC54644EA973B53AE01,SHA256=502753A1360F855F04310766B9BC14E5AF1ACF88324E28B12721588A64FA4A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4265C5F465B75C0EC9115E5C29B1E60F,SHA256=243607FEA8C122B5951C99EDF7CE036A5AC5C7A4F4123321BA36178E068DAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.358{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE9A38B92A8E558F47B46872C736DEC,SHA256=CB4BAEF1D0DF2B9F8462972F36318242363AA7CB5A1E3B28F2F8881B88A66799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.247{80A11F3A-6A2D-6127-FA03-00000000F201}25961060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065AD014D211B7B9BC33635FD72C74CF,SHA256=6DA2B655DFB062315502C717A93103810F3090A088F68E3A96AC56C2C8254EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:19.374{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117CB59A0C3849015416D9A10AFD79B3,SHA256=4233E331179262C165FE91CB8CFBAE07AEDD807EBCAACE70CF4995538C13EDF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.513{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:20.420{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFBD076A825A03A3E236EBAEEF69B9A,SHA256=A71B0C47960524E6EDC124407DC5CC1EC971BDE979378EEE8B2D799CDF41F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EC42042650775FE5D3060AFC5CC6943,SHA256=3DF61D17356A9C488AD70FB2B10AB895316A1F7789931C47EB4B1230E0B4675A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.012{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215424EF26FD055DBF38B487BCCBE72A,SHA256=6CBF8FC915C05751C944D8E5F9460CC9AA0501D185103FE487DB8D6F24D81AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:21.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC2C07864A0F7CA6E3ECFF3BE7010E,SHA256=5D725CEC825F5505CF7B5BD46EB12044BCB0BA9263337703A1C9000F467B5AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:21.028{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031F9A004DB9F701388CCBFF0BA25BA4,SHA256=85AA58E3AB5DF7295BF1EEEC9B33965357B689A7F357E19CDA0560A106640EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:22.467{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F080404C09B3153716A8A8D7FC66B486,SHA256=DC39A77DB0487906D63740D229EACA8C1C60BC2C1E3E175B4DEF4C4DFE9BFE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:22.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EDFF44E95A582D26F513A1186256B0,SHA256=BAAC4010E292D30972173251EE4DD72861B84489B364CFEF6B1DD5BCB0296023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:23.483{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239B6F0A3CED5ABD23FF49039C2EE8AF,SHA256=31376C39F7AC5D31A368AF89A1DBFC992589F8CE2FEDDF1C57EA037785827082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:23.075{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA0F618871505089AC0214DD8799C2C,SHA256=BBA4721B2B507DCD3871F994F03422617304E4050120CFE0DB98027AD1061643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635124B7F17A70D567F1C339E5B50559,SHA256=F86557CE4C37B458CC1E5513F514A3D7FF7D438066054627B1929C5F73ACA5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE606E90CAF156FB6174856C0CA0949,SHA256=880A403205885B9B7E70836A887EB85DB09A99E51577C90F3895705A383CA4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:25.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B261DF59B023B23E99FD8FD352FCA143,SHA256=815579044AC36A568E0FF01595023E328C16B64E81E7BF34740C3393372FB43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:25.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D51C1DE140EB1B11023D822A404665,SHA256=7588E5B04FF6B9C7B9E5EEC2701ABE43F491A4FBBE1807606291BE1CD153D870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:26.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7298D14096104547344BD6C88142060,SHA256=05F228990C9E8D3A5032ECCA3F31E34D7930CD750F1D05806C9CE14B67E04F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:26.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D76885AE69C905CA94B4AB9E55221C,SHA256=0316EF4A7EF73DFD81BB7BCA319BE73EA4BD253A9F9677C06896833221A9C3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:27.608{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1D7F5CA5B9D7E4B222587493A28AFE,SHA256=353C402302AAC0DAB5DDCBB530EEB2697581EA46DD2EDB6D3B03FB664A4D6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23F07E6085DF16187B1E664F79C8D67,SHA256=A14CB6C77426F1E7FD13DC870994852CFADC58F3EDA045E62D82752185C24CBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:28.639{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A27A3733B3BE764F0E3C4871A88956F,SHA256=5D76B76C8E21371D1B0E656D4074A90E186919EC8B613DA83339531BBF7E91E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.872{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000271933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000271932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 10341000x8000000000000000271931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.262{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000271930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.169{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610229308CEEC61DDF773814DF2EC21D,SHA256=A3AAF0B4644FC83622F12190C0FA511D260BC20C5507FDF28CAF61B91FF05188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D330C42963C6BBE1C3AF071BBEE885,SHA256=F1A3041B6E36C239E29075CF9AF20718F8E9F844A289E6F8815FC839FCCB9DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000271937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9444E3752944113903739045928E8A9B,SHA256=60C1061220F62DE5C12BA723E71F4C1EC025639F2055DC75493F384FBE362C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233DDCD80028BC6204510FDCD5CFFE15,SHA256=20AA0129DA13B0464E119C29EAA321B509A3E6134FEEF74FC9F2BB8F6DD107F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:30.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AEE26DDF82940D3B87E595A7005869,SHA256=02FB89561427173F85367CCA9E96E3D846490154F84D6442A69097BB45D3DC78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.445{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.444{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000271945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x8000000000000000271944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA184283DCB5137F1F980E352503AB8,SHA256=768A6A4DA6FC49F803CB73AE9992919FAF9F8E18CC975ACE82AB32844F29D896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:31.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7331948D8CAD4938168EC77D1CBDF229,SHA256=0DAE2C30EDE5101DD747DE454A0998095781307140596D1E03AFEC5FBC8105D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:31.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBCA0B8C26B56E1757DC93635078D19,SHA256=6ADE98AE9343599CE6A1640CDADE7B8BAD5314EBCDB156362B02289ADFA41E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.140{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:32.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69227219D8BA42E56D9DA0F73A207FA5,SHA256=2920E9EA64884792188D0288F001D0CDD1DF3EF121F46EFE95BB9248447BA558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.296{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362A0AFB4A0F13AB9E4E12EBAE735B12,SHA256=A4606BFE6C2921E5D5D5F92981F237B4CCA1DAADDB971F2EAE63519FFD0D85D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.106{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8A962529529F20B53803C8D44B61F80D,SHA256=E6A5B43783BFA13B631DED420AAD09CF98D4E54A983B9B8850FC9E1A0EF70AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:33.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A141D562AAE1EAD5BB8B719B4E457C3,SHA256=0086B513F2D18967D43ECDD543A69BFF067F03CA80DFA409A9C63816FFE2B478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:33.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB91F4EF74BEA01F414A4BDCDA7988,SHA256=9877E73F696E8F59BC8132134B51D3BFDEC976E2B41EA277F1E1C71B4FC2F139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:34.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164C2BEC88C92CD8FE8825618923B147,SHA256=9D54AAA2430527ACB0033A2F0D1AE77AA48428AFBE13F10B7DEEFF3ABADC7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:34.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F829E5FCDC4E179A0B2C822907503F82,SHA256=A8AFF140D371222553FB6F18B398BC60F714EE09823A36DD42D061FCB919D3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.780{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9373DB6B47EAB04A1668D49443E0F162,SHA256=BA8A620AD30D2BE4F6D6BA8069E30C6676357D16D09CA6C7AB5068F8D6F44F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:35.419{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF8CE25C7B20D23899E99DB80BA1970,SHA256=F0123F7186582876DF23F2D2B7985F33AB5DA1E883B1C0C9261B0306956472DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:36.842{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E6A4352CDD7C9B900C112E59AC1E69,SHA256=3CCF0AA80CD19BC35187867594934015B34604516959EDC73ECACF57F9F940AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.481{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C19A35CADFBBDEE7752A3718C849ED,SHA256=C1B259144C812A44B51CCBBC1AEB024F440D8BA6300823EB4049599A2D20B72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FE49A89933E1CA89EAAF396DB68FDA,SHA256=8E2ADC1E1B9AB952FBE495FDA87DDDCBD40048577E92440E7D72289C56D92A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:37.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDA96E5C245E751BD4D796AAED5B010,SHA256=641A78A61B0B727768864232420DE959361F4406F7E42DA9C06D31F91361ED93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.266{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-112MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:38.700{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E50B1658B117411565EE0A034A3BC,SHA256=F70ADBEA98F3B04E7398F8E826A774975C8ED3C533E31578B9E414E084A72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D837A35C73AA9C03DE807AF1B33A0B3,SHA256=99CA588627BB1EE776FD9EB099714F9761478462DAA9CC44FA3273C48D170F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.281{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:39.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E0204D195E3335A0962FB62C66462F,SHA256=9497DF1ADA5B49C31D482248DDCAE929DB463D51B69B2A6865A9CD43D44E7E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.715{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC3865AA3A359D4E422DF87E16E92FD,SHA256=F6C99B2F5DA47F2A45297EA377AD9929CEF3D62BCC030E893AD3FEC18C01FBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.122{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=059C733B0EE6182D683EE7E147F163B1,SHA256=6C74ACC1BA0CEB3EF59FE0594E1C1428BC778F07934E31419E91FAFF1719849C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901DA2F11FE6AB3530E5D4172B6E0535,SHA256=8B7D1B998C3B7221849BC827C0F753BCDB21EADA9D6F8BB173BEEB562AECE7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.747{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49501F8FF6E04162FC8A4BFA141B0B1,SHA256=58FE119109966A53A0E33A68E061B982F670FF6A55DA69C8CF2F160CA43045CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:41.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4E5339191C8395ECE08652B168F15F,SHA256=491D08F1330A0823CAF81FCE7B140C3B4AE1455DE46FCED4DC986AE3792B33EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9052BC0C1AA24518BD69E58587D04F0,SHA256=4B83C497CA56B1B33F95158D82B5149B87FCBBC202B4C7D494E16DA0E055390E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:41.325{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x9a61bace) 23542300x8000000000000000231164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:42.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52E59F5B24DA182C8A7E7C1D8EC5C92,SHA256=CF4394BAD3D9EA30239CF041E8B7EDA72F844120450BDA95B0022880E553D2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:42.778{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D17EA7B65EDA0021F486E2F6419110,SHA256=1801EBFB8B40FCF401ABD671DA3CA3A1D838146529BF09598A14C5365C16F5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.125{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.877{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000231166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91721F641F1AA65379728DBB41DCE0DA,SHA256=8535D590B66FE88D0C958529972289509C927A286B21A4497DE497F4DDBCA7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:43.809{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2083BD067953D00EEF639ACF6E5F8C,SHA256=FB990F92EA5CA2C1646ADB001DC54FFDE4E2A1502924FBC43382982226F4E791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.421{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1615A0DFA22E93B9645ABD2DC39EC11B,SHA256=5B0F2E70953FBED0F72B2104842C7814DBF0EFC02BB5D9081583D021B3463CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:44.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1375687EB56884C91A48BF1935698194,SHA256=62230E9CB8381E14C0E06D0CD7C5CAB47F7855D8024BDBC021F55E72E410FF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:44.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23208B8AD1A9C81D5D585A0488F6BF14,SHA256=BD17D11CAAD9435173D001E7F5D4574144354A1D303B3D11CA8BCEF3434CE157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:45.905{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18A26EB1552FF3C975F3CC4FF163CB0,SHA256=AE24330FAACB1E44843299FECF0B239CBFDECF347DC7485F571A2DAF2D50314F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3626E454BAB3F6859736D13AE2B92C1F,SHA256=8A422B5EF7F889F7F3B1D1E3272FE1AD230C140F9042AC9A1BD1FF0B1A178708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.606{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.153{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA2CED676F1CBD122F30744675DC5F88,SHA256=5BFFBDB9DD644E04F27509902837F688FD3FFD3561BD150FFC44D5C9B8AB4A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A401414A5E65C112A1BFA74D43E7B9B,SHA256=8F2F37824E2326DDED1719E659273A8679DE9B590C693A498ECEF756CFDAED81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402F3CA6A985F287A47F013D974E8941,SHA256=C8820284B05A7D402EAE42B59ED85CC37B8C4F5BBEF478617C033C0EF8AE3086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.137{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=BC9AA318991A7AA2975D2674C842EA54,SHA256=C258F69FC316048FE15D5C07674DAAFBA5B520646A52CD99B18146FA9048D3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:47.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46864DEC38700B9709A2D6865E52A76,SHA256=F60233DF9F2B1F167BE0C7CF6DAD342EAF24A29274ECA902A532A100381199BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:47.856{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C7D39BFDEF7863B7EAA77CDF4AA220,SHA256=83C8DC4C8A68FC0FD296E8694CE78E4169EB7C236AD5DCEF98CD20E235E9F9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:48.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA062D8FCCFB9B442EECA34B19CE2D1,SHA256=C7E7BA7A8CE709C62C659177353CB71239CB886CA1FBAB63FE0BD80B28C4A577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:48.872{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970F09E9E568352E629442C83671958A,SHA256=CAA4DEF60FAB14A04AFF43A8A48FC8E9BAF0D21797098FED8289D7DEB0DEF449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:49.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F08E5D491DCC51718D6E4A834AFF5B,SHA256=4D1392A0873B28775CD787F9AEF268CF3EBC07BB667C26D1546EDDF94C126163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000272012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.637{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.633{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.528{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:50.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BF98809AB0CFBDF3756C068B675A1D,SHA256=ED6B3B7CA3AC4FB790EF4197BDA0FE5F548F1C577EDAD206B35D9ADB496C2AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599E0CD437E6EDFA1E5CA554A5809023,SHA256=C4648CDDE01D1D7BD5D335623DA3D9FBA65F72E765B79095DACDF33A5366B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5980C7F3495F9DA8355752141426293D,SHA256=C1CCC0FD71628D8E8C846AE9E0A47E104621EA3ADDED0F1E1D4BDC843CEC6DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940B84F1F70C37DD305FDF6EEA8083D2,SHA256=FF56BDC80DC34D084E512FD03C6749B015FC7E05171901A75BCCDA24D5233BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:51.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16100F151B73FDDD32FD73BBD7AC7A9,SHA256=4465E8FFF66AAD79D54A2757767F4EE8834BCB244F0D60D0AA4591DD2276DA9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C5C1C4D4BEAF242FFF3EE35B73B356,SHA256=FB6DF81041B3F0F4ED9D18BF45BF6049B9EC84DF466C73A6DD4037A35C7384F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.081{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.967{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968DEAF0D79339BCF49904BBDA7E967B,SHA256=0279C40D7F66B9DD88720EC4789EC1332ACFE0A405E0860A14B4DF6A2094D090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFF2FE7157C7D9C03599E29700E9DA,SHA256=95E7227AA2A78079F1015B8FD459145A6DDFFD50C2E7D396AF9D8DB01ED27B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.090{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=D7C705A0BB5EF28941E08522824DE0CD,SHA256=E2D912BF40B6987F3E603687D625B94CE65831C2BC90D91F3031BE7C5B171125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000272045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-4F15-6127-0A00-00000000F201}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.294{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83A33CF8FAE1D6CD992AD616388D141,SHA256=D2B07232EACA47A6DDBCBCDDDF0F8072157B26FD2E3EB4B09DEE64714E27896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:53.999{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F508B4509F6D50712D2DD2C6AEF14FDA,SHA256=18170112BB77A032C676AD439913A1225D009543CD3988B39DB04632D334AD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=002D226D33D9D09A5868302A623690ED,SHA256=1702AA1AC68D40F661CC2CB89DB381A36C16ED9FEF9C28409324306A11B4A442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5A398EC051C01201E0ABED5DCB842AF,SHA256=B2A8E83D8D4A11429415A63572210B8882566125A7B04B09B9D83F95B07B1E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.421{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-112MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.325{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765C467DADE0770AF073B085713D6CC6,SHA256=7B95EEC5DBF222F9A338822D269C65FA2C8F6865807D7523B061D4D72DCC3771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.638{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:55.623 23542300x8000000000000000272067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.434{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290BE14C75327150889DE2B421B11E4,SHA256=7261CDE49B989131F93F22A74B65BD3523178EBE959A45BE983C8B6F1B287576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.515{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.094{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.202{D371C250-6A52-6127-BF03-00000000F301}16922572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3BB5C9E403989CD702EDFE7B57B820,SHA256=8B8DCDDC80791B8801D5F9B3682C03A23124447F4024FDA06685153666ED3A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-6A52-6127-BF03-00000000F301}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.323{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000272061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.287{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local58126-false93.184.221.240-80http 354300x8000000000000000272060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.284{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54604- 354300x8000000000000000272059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.280{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-391.attackrange.local61255-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000272058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.280{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52358- 354300x8000000000000000272057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.722{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.361{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEAF8EE6C32E1218A5D4374B47B50AB,SHA256=B8797F9D9E7DFD2E89EE3B22288F544ADA4F80681DB99900800AF798CB210AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.389{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.142{D371C250-6A54-6127-C103-00000000F301}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B75FF4667403FF9FA630064B456FFF7,SHA256=B763721D9A357E0F49230A5137A7A12FC4D5441E73969AAB58ABAE4C7854A35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7113532B8D83711CE3AA4E1AD58163,SHA256=2AAD4AD1DA498E7DE6E4A19B2F92EA53BBB1E012881BFE100004CC8FE0571E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:56.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=706273F1CED5C79AD3F73D74AD4791C2,SHA256=7B97EECE58F6DE91320EDB0B28969C0E7F01AC30552FDF1A55EFF8C700A6AFCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.126{80A11F3A-4F82-6127-8800-00000000F201}41204232C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:56.064{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000272080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:57.361{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE4A261F232637FD29EEA276208E3E8,SHA256=B16EBA25A92A00C26B5D9B072BCACB1201E3E597EA65A84DFF8D1E5416401AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7113532B8D83711CE3AA4E1AD58163,SHA256=2AAD4AD1DA498E7DE6E4A19B2F92EA53BBB1E012881BFE100004CC8FE0571E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.030{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89414B7C013A6E13B1EB00C56B4A52F3,SHA256=FA3BF98D0201875A6D365DFB86B869E1BD2571E95B4FE6C146513EB34A3FCAE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.736{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59056- 10341000x8000000000000000231241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.561{D371C250-6A56-6127-C203-00000000F301}12482968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.420{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.421{D371C250-6A56-6127-C203-00000000F301}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.344{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:58.046{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1D999199B49177DE039C2B404207C2,SHA256=E1DA52A5A588526DA97AEA8E2667BA2A057542B54BF33349B0403130676F4783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:58.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FBF05B2B0E6DC9D1683B7447346E9C,SHA256=2AB4DB89CD99187FF180C8AFD8C94481C454F8ABC9DA45CBFD9C65C9CEE02EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.050{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-59056-false127.0.0.1-53domain 354300x8000000000000000272082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.766{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59056- 354300x8000000000000000272081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.766{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e3b2:81dc:ffff-59056-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000272085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:59.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349592A18028F98FB33E04254B82D690,SHA256=48CAEEE305DDF30A4A3014D57850EB9AAB0E7B055079A6DE21EA3D95E8C92ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.733{D371C250-6A57-6127-C303-00000000F301}3681484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.561{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.563{D371C250-6A57-6127-C303-00000000F301}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F890EF7FB92799748BC4CA02A828292,SHA256=94789A0F49935C0F5876AF9F9DF98B8B3DABE05CFA523B4586FCC721AE456671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:57.094{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:59.061{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C361045E1BFB8E35A0F488BFE260BAB,SHA256=9FAEE076EC2412C7A3EF3530BD5032F4B482AEA039A753873D1B4C37EB682DEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:58.601{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:00.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCF09FB627AF60EB218DB4ED9B029AF,SHA256=D071D217A653315540495E09494E4B682388C7A69DEED30EE60FFE9D1EF6D1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.655{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E222D1B211B00BFCD146D1281F390,SHA256=B8684B9AC75199687B3D68D6ED337118B9E0AC6FDD941018D48773E5ACCA9F89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.389{D371C250-6A58-6127-C403-00000000F301}9721956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.186{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.188{D371C250-6A58-6127-C403-00000000F301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:00.124{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B36FE7C01D75515C2A70B7324E4CC53,SHA256=02AAF91D8556EF1E1FCF76AC6A144DE5004FFA7C3987594B5138B1527848989E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.595{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-08-24 07:51:18.294 23542300x8000000000000000272090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.595{80A11F3A-4F83-6127-8F00-00000000F201}4592ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=846C5C3E988BABB67D7D78D82BDC2A0A,SHA256=1E8827C8F6177049816924A2CE070F6865EE477217506BE61767C0832825D288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82B29461601571A36D14602528317B,SHA256=635C7F1CBA0D4E51401323446B6925A15991FFA5EB058BEF50E6FBEBC3072FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:01.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80645C35ED11F818E816C9049F9F1927,SHA256=0E0C4155C893456C035717EB16B630E24668D0E3619F7D1F2B724382121FF1EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:01.220{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\ad2.ps1.lnk2021-08-26 10:18:01.220 10341000x8000000000000000272094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.985{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.985{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:02.689{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E27F94C9E37622F985117F627C65B53,SHA256=2C6D351E4303B9840385774B15099FA5500F2077F61BCD6E41A6FB773DC8268B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC6A2DA2618A8C0685E99660AED91FB,SHA256=63BCD1145DBA7B2E51BB8FCB1E86FD320A71BED0F7D4B9626A8DA0CEDDE4C72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.092{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.093{D371C250-6A5A-6127-C503-00000000F301}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188F3704D82D870763A5D9AB765F2353,SHA256=81192FFC42D27F6D3E470977D13E96BC8F86563FD9B25FCA1A1EF4C1EB38EBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:03.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DACF976EFD514267011482A43AFFB7,SHA256=9F5E793E4C1FE5F10E157F138D2BC8759467121F9E633EF031786E748D0347A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.314{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000272107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.314{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000272106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.251{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.235{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.064{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.064{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.032{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000272096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.032{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.001{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A5A-6127-FD03-00000000F201}2764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000231290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:03.108{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B00341156346DFE5C2CEA218895929,SHA256=CE84020B6DB541EEE2D1F3023AA2620D88C110B2388BF9D20975B5C0C5526B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.767{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0861D389194E0CAFD10FBEEE78C9A61,SHA256=4F28C3B0C6AA503AA84E5EAFCDC0244A52D680CB7CFBC1D5525AE6D15E9D2998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:02.219{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:04.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F182B43A8D8706DA86F3B62F7810F4E,SHA256=B170F592765941B50750E8D158D110A48DFB5742CE8CC612C5104EAEECF5EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2619D06C76D032EC97CF397E4AE5D9B,SHA256=13CBB6B461EC45F6C83E5F5AAB254CC91C4C2C2453163BF82B92A04F0329E4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:04.048{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599E0CD437E6EDFA1E5CA554A5809023,SHA256=C4648CDDE01D1D7BD5D335623DA3D9FBA65F72E765B79095DACDF33A5366B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:05.814{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2C84F43094C49364CF1E0B1CDC5A68,SHA256=FC9AEB25BC0C5D28EA8296503D0DDDF3510EAEA73F62F8B51AA707167476A98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:05.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919F76970CC551889108D8A9EE492B3E,SHA256=FF380A5C0B913DEA899C6A08AE46E9FD94832E6A36D713A8B4333610A7BBD8CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:03.633{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:06.845{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB8DE7499249E8E8664D81687ADDCD2,SHA256=3627C75B7BA535FB44DE82E56D69302EB61502CF24E2B6E601167E55B4273FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:06.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F90EEC752A667A79B0733111F125F2,SHA256=C27D3F3079A289578C8697F80FB48BE1E7F78F9E2CB44B9B62C1B75A0D2C2777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:07.876{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C613CF55EA7791A72131BDA846852624,SHA256=F6FDA04B2373D5EBFB3EFA28230279E1B5349B6CCB0DA239413A103032116D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:07.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3499082974D31C5F942F7E88B62BE32,SHA256=0288974D41433F3B7FE305C8FBE99C2CDE24B74ACE30BE23A177E7FFCD812BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:08.939{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760CEC0C39772ECEBBD54D2D59065EA3,SHA256=4D7F0D6E9E598DCB886CBDB0DFB05D04B3DFB0582CFE2005EE0E3C3AD85159FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:08.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FD5BBDA3B85A2D00C9F3C2863A26C2,SHA256=8ADB6DAADA7BB37A5A8F32F6EE01B955EB67995866183229B6C7BA4569706350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:09.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9633DB690381FC9877D3F91982B239A0,SHA256=382ABE44B8A993EC1B9C1D50550B42A7ABC13EE8527D9DF5304271E598AF116E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:08.172{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:10.170{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C31085BDFD7665B991ACE1664711EC,SHA256=C3FADD2361E7B0EE6B66D22EA56BB5F59126A6F28FEA7F2AC351ABBB91A35FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:08.695{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:10.017{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B86D8B06D9A7ABBE7ADF06F84DE84A,SHA256=11FEA67F256F228BB2C8706EAB9A17C10989EB243D036A6DB68A597D748245A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:11.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D0BCEC9E5021F5579FA3E0B89E942,SHA256=AB65C19C6FF29596CA64605869973B0CE13AC450C14DE121EA97F73C631D52D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:11.032{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B54AC6820C327EE75BCAA06D0DF6145,SHA256=290B839CC2C6288AB2EB5BE4E35F23A0F7A90FB6166D8C41738C7EEF17FA82AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:12.217{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F8FDAB4F1F49888C6D4272F003A014,SHA256=44C8ABB3246E2AE3741DBF591354C907F8F77972C6305153211C8C380EBC948A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.173{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.157{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:11.939{80A11F3A-6A63-6127-FE03-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:12.110{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C99C2805B1304100D9E6EA97BCEA02,SHA256=470E2685526FF86FAEA1DC1438DD3EF02F11ABD4CB53E228EB19E6AF64935307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:13.217{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57653643B760FE3A028B8C93069BB143,SHA256=3FE65DBFF1E607A7D64880C4F36DBCCA102EAC590E0C54CE25E8A35E4DEE854C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.251{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.064{80A11F3A-6A65-6127-FF03-00000000F201}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.144{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EFC64869389D43C56F2CB236473060,SHA256=0802C16CB8D1CE222E1C9B23DD5C8C8288E1F57723537EC0172CD020EC357E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.001{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF949F9C8AEA9D657B4A691C71B80FC4,SHA256=69710A09F6D916F137B60C9CAB9DF8A1153E3879511BDAEE97A769EFEC2DB672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.001{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2619D06C76D032EC97CF397E4AE5D9B,SHA256=13CBB6B461EC45F6C83E5F5AAB254CC91C4C2C2453163BF82B92A04F0329E4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:14.264{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6CBE3C02C3191253FBE64A7FCD79C4,SHA256=DF23DDDE0A1746867095628A702CFFDA1EBB33D90BA445E24F1E97A40D3D5D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.329{80A11F3A-6A65-6127-0004-00000000F201}49403492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.189{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A5584A1EB54887F4BCC2B9C8559353,SHA256=47B459D1A6E0C14707019D4397EF41434E0D7D9DDB11500BC786F015C412738E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.173{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8431D8B48F41AD9D00053F8727F8024A,SHA256=0158FCD60DBC80F7E8822847AF2217B2A0CF9D3EED53C3DA962947F946F51A4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.126{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.110{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:13.939{80A11F3A-6A65-6127-0004-00000000F201}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.095{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF949F9C8AEA9D657B4A691C71B80FC4,SHA256=69710A09F6D916F137B60C9CAB9DF8A1153E3879511BDAEE97A769EFEC2DB672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:15.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C132CE2C4E15C8CB3104E334020471E5,SHA256=EB231ABC35017E32DDEFC1352B62B2408665DE9266690D61FE8021C820B8663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:15.673{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F03A8C634551A3018A34CF45FC79AF,SHA256=25B8C993F3FCDEEBC69B6ECA8BF9DD58A77BBEF1A249B0C3F87F14AE6D4E8A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:15.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2139621BC09DF7CA9D9EF534BE4B4EE2,SHA256=3BA9C09C0ACF2BBC72D4CAF3CE16C91A35CAFB9625D3AE41767552C8D6C5E005,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000231314Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000231313Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006ac3d9) 13241300x8000000000000000231312Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x4c975f3f) 13241300x8000000000000000231311Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0xae5bc73f) 13241300x8000000000000000231310Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x10202f3f) 13241300x8000000000000000231309Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000231308Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006ac3d9) 13241300x8000000000000000231307Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x4c975f3f) 13241300x8000000000000000231306Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0xae5bc73f) 13241300x8000000000000000231305Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:18:15.249{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x10202f3f) 354300x8000000000000000272157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.070{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58130-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.070{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58130-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:16.204{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E0A812A7C3BA3AF7856F6C01751856,SHA256=7299255406A309781A84F21BE2A98FB7737C5FB00D21B41491245E808B89295E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:14.063{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:16.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D945ADA9EF437DA92E13AD295FF219BB,SHA256=8DC7C860B555E1BB80D94E6B21AD051BCCD4506DF718D4921BE597CBAD3756D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.892{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.876{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.721{80A11F3A-6A69-6127-0204-00000000F201}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.845{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B923240868D8F3EC151D963D61D557,SHA256=11BCF2E459FCC7442759B3B11E9BD241C3934E13C5C2EE8E37A4E26B67D7AE6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:14.601{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.251{80A11F3A-6A68-6127-0104-00000000F201}21043300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.220{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5297E05BA7E78226FB54767DA7E04157,SHA256=32C591B6685714FE049428C41CE08616E986A4A0C02C95DD16FCCC98E44B8EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:17.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3985D96E072A70106E9BE500D07DDC3,SHA256=AFB757B411628AB11F2A96DFD1532FEE2D55838E1BB480E6A22EE653F5CF349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:17.001{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:16.830{80A11F3A-6A68-6127-0104-00000000F201}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.798{80A11F3A-6A6A-6127-0304-00000000F201}16044056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000231319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:18.295{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39134BBAA0035039EA1B9A6C010E41B8,SHA256=54382EF614399AEF43A3B09A37A5766CAD993497382EC329D8D46A074954824A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.610{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.611{80A11F3A-6A6A-6127-0304-00000000F201}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16873BAFA3553D91D6908C321803EB7E,SHA256=D68E7E4E92229AC8BE657FB0892F2F8FA0F70578357C6B50F1B1396CC76CA2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:18.126{80A11F3A-6A69-6127-0204-00000000F201}24483164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.689{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.660{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.677{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.517{80A11F3A-6A6B-6127-0404-00000000F201}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.642{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509AF0E91C00B1F533ACE23C2D714A12,SHA256=B33AEF1AED9C0FF5BA8FDE63ED7CE0A870279122D6D82C96520C0C1742755629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5051ECEB9C335916433D7E562F84ED,SHA256=5D5E2C0AF1D834976110656D25725C973A03EDEA72CB3C625D8ECB979D010220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:19.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231810902F0CB148B249533F16C170AB,SHA256=42223CB328850AE4690BBBCD2CB86005357FECD89BACD5293151237009EF1351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:20.235{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5116CDEAD785FA11FE40D1424DED99E,SHA256=AADACC51251A596BBE8565401DDF426D70C71D3A20F51C4402158415B3B86017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:20.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288EC87C8A83E6F52986EACE6EC946F,SHA256=D76A7498CCC4762016AEE9A0792CD8F693A3EB34E405560F3C9EDCF347DE78AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:19.679{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:21.251{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B85E5407031586AFCD458D4FCB70E4,SHA256=1654E4370FC5DEF824DE2D1DF30E99738DD353D928663060EC2E7D457AACFEF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:19.078{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:21.420{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AACDEF80FBBC064DFC7E7EED6435B7F,SHA256=18254EC9043F09B876B43ED2541DFEA184A64F62DA55DE5E976057F68BF433A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:21.188{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=CAEEBFB2D57F4A801EEED3F92A3E582D,SHA256=8D4DD7D0C2225D5EC21F07708BD83E2BD6B48F7268CC4D969E72164262BB6D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:22.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE71072805D70092D09624A640984A6,SHA256=E058DEC7E9AB659D287D1FE45B9FC0ACD5EC59762B1742B8C9E111BE622CBC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:22.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5B03A35A02A51CF4AE17E8CF9A6B39,SHA256=408D81DDF2E3A544540A35D7B0A2ADCD3C85CCF000E9C8997DF8124E055F0AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:23.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F17BBC2098B7DAD5347282A3F4F277,SHA256=F6255A0EB67EF77B389256725E86E25C19FE92A4DCADFB818218636BDC14E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:23.282{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668BA756E8A34738125F2910B4433D8,SHA256=6DA43A9E8D7614AAC5A3432B0AB0A406F49CE68272F530894E1F701AFC73C2A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:23.173{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:24.298{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D5983D0032B70CA3C217C50736CF53,SHA256=DA5B8BC98ACB7959896E357FFE0696F79D6F122481B31071286FBC5B202E37B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:24.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B19B3FBBE39F61B16EBB859E215710,SHA256=A73E36DF0236D308ABFD086118450D191DB42E166A3474CBF338754FB6080A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:25.345{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B68332665C7E199407DFC1DC0284504,SHA256=CF731627C2C0673A6B9FA4169FD5152C7D9578D554C2CF9B2A184F611830C4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:25.483{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB51550F9EB2548EDB0676607DBBD22,SHA256=381C1DFCAFD511683F7C6FD7FD25B872DC53C3F3B88F4F3030355514C622CCCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:24.788{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:26.360{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425F30DD3A872297996137F5A4EE0F5E,SHA256=4D757BE7E8B5F293E529EF9FBE47639E113B1661563C615365127E5BCE54E294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:26.498{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE324A49A9EB9905EB5597A846813D4,SHA256=705C8E42549E4DBE853C4C8C22568400BF0261D4690E5256DFCABDF21DFEDCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:27.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19962317930988249597699C0AEF2731,SHA256=7A033B88E0FF2D527901CDFEEB171573DCB4AB9689D7048E3DC8F0E47AF6BBDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.985{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF6afbc1.TMPMD5=EE84C86C40C7CD0042EC2D6E141BADAE,SHA256=26A7D012C04D9E1FEE6B078ABF13CCBB0119ECB1B9DC3750809B397AAE04CC1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.923{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.860{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.860{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.752{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.735{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.735{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924828C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.642{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.532{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.532{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.501{80A11F3A-6A73-6127-0604-00000000F201}43482392C:\Windows\system32\conhost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.455{80A11F3A-4F83-6127-8F00-00000000F201}45922284C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5 154100x8000000000000000272211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.449{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000272210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:27.376{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACC7DF6F906CF3C671698F414A8ADB9,SHA256=7F65FD0E25DE92CE971990DD67659D194BD89F38A7631F249AE708A5E38F3DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.533{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974BE302747344B90F4ECE2D51DE4576,SHA256=D9E46004C7CAAC5702EA1CBD464B15416C69E98411C596F0E405770712BA757D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.533{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F519523F9C8A896B92102DA607B938,SHA256=B16A25B781AA2BE171AA2F5668D450D474DE9D36C5EA525E98740505C253DAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.513{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708FC4F4A0792E4CE08F11B8B1AA3DDB,SHA256=C1A5A76FC594EA63790C6E9B8CFE1886B4D765452113588D6D92165EE024E419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:28.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257E819A4204D066B1D786933BE3334,SHA256=781E0B9014CCEEB46CC3205AE5CA8716C6EDD700BE4B99A734CCA36DEFAF9B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:25.125{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:28.205{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.ps1@2021-08-26_101814MD5=A1B28E7E50A5B697100B162EE0B223D3,SHA256=1CDCC9DF2B1410CF835B8246716BEAE657C8154B15733C1AF7C47C075D17F45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:29.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F74A034F1644BE130708F3FCFDFBF01,SHA256=EBDBC18B16A3EF1CC6FA9A23F44E44139F242038728E094A69F29463ADBC0705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.767{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.767{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000272255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-26 10:18:29.563{80A11F3A-6A73-6127-0504-00000000F201}1620\PSHost.132744467074495988.1620.DefaultAppDomain.powershellC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe 23542300x8000000000000000272254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602EA348D73426C5C3D7691848E98E97,SHA256=72E531C8D3EC228DB52DDC64BC52D4FC26E46CF76AD878F205152DB58FE2FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.532{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r3ea5oof.3v5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.532{80A11F3A-6A73-6127-0504-00000000F201}1620ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3ee1df1r.duf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.313{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3ee1df1r.duf.ps12021-08-26 10:18:29.313 10341000x8000000000000000272250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:29.298{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:30.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984DDD87BC11DE03F9B1130FA222D0C4,SHA256=8E1495A839CD6D86549981499987FBB9E85D09799184B8FB54E2B2533B879C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FB06080A4E81B2F365E72F94436A25,SHA256=C4B18B6538EE6CBCC9DA0922F1262228AC12626AD880C90A9AC41D45AF06052F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.313{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC4C6D29260EE692973BFCFE84535B9C,SHA256=D6D2B496F86A5CE4ED64E7BC89477CECB9F26E309014334494E07BB30C76EACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:31.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF8D9154644C6D775C3DD13F7067E06,SHA256=98CB03BF0EA148EE8E68477757A522B71C8F60FFF78941387E309E34E985B3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:31.579{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F457174A496D88A650FC7E6AF394990D,SHA256=DC3E16E1F47CC90CA165A53124AEC2FEB4D7BC07C9417D59160250D1E772A4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:32.595{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0689FAD18011448B08C82032CF4BE21F,SHA256=DD5EADEB0B28C93A7925DC7F2CF94ADABF851BBBD62C553F4E1E76DE091323E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:32.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAF377913B7B012C1F766217A1FA7FA,SHA256=2A4E719D7B606203441A51033DF009DA5124D28A59265A01B2450B55B782AAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:32.329{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83B71D2BB70A6F9C416A48D035F627EC,SHA256=5CBBD778C12DA45A118D7628FBFFC6AA5D31E31568019F60A2AC79BFB47BC6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.610{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A1CE55D43AD27EEA5FE6646E224CA0,SHA256=2FB0DE620D72CA404E31C2A964A1C8CE1804077BB85E4E57FB601B6E2C197E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:33.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AF33126DAF463CC27F127749493623,SHA256=8C74D1D924381D7E4EAA2688E868B4A4AB06E55E7FBFD3499833BEE1A8E8976C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:30.616{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.079{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:33.063{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:30.141{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.642{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AEC9D36604585520D6CB2DD19BEAEF,SHA256=C4CFC1D0A1605F7D40FC85E68C99FF7C4F47EDF553187594147618FE50527D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:34.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92CDA5E20F0692F15300843AE60736,SHA256=CA3029E7FBEE0E2F68149ED59630788F3926D2D0D38C789D1B248EED4B104025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:34.454{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:35.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58818DFD98A671D3B5C18B4ADECEC767,SHA256=9EC86D813F24DC619DFC46B1B7BD27615745A35570554FA7E586173C3716EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.879{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160DEA45999A54036D63BC8E4CC13C8,SHA256=4EC4539610910FD77B70F64A78C747DED2E748457D86CD8F5329D77664B3511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.892{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A56B687B4C6482347399E2BE72AD95,SHA256=C4DA38AD51D38168F0F0B1509DFBC4FE6D09CFAE7C9BB72D46D0FF8B207FFBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:36.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C8E731590C12545043A300B8FB4BA0,SHA256=D66A59281BE2EC8372DB6E9D6F9F15398F44DC15AF3BCD4B41D03B5C1409302F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000272282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.001{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000272281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.269{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01ACC5DD99578B304A86B0B2CDCE89C2,SHA256=8ADED733BF466CAF1B114F6ACAF3C10251875E460B46443E4FC43624AF15FCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.970{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A5FBA98948ACD59ABDB692A20248D8A,SHA256=BF9A8AEE229383BD16F825C4A8EA7C2194C5FE1DB4EA04C05CEF34DEA0DD4A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.485{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58142-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.485{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58142-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.444{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58141-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.444{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58141-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000272298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.907{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0041953C7C652E09A06B1353673FE5,SHA256=9ED3ADD334E6C6ADD546D279A2EC53FEA5C8BAB3688FE667E101113568125EAA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000272297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.518{80A11F3A-6A73-6127-0504-00000000F201}1620win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000231341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:37.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B63D9695795566CF70983359C5D3EE0,SHA256=A7F3AB40E4C8E3EEC116C360713F0EC62E545E412340FA452EE70AB1790FC2FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.162{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58140-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:36.162{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58140-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.985{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58139-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.985{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58139-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ADA37D042399E2FD1DB31178F8A24A5,SHA256=8683E82612FBBACC6D1B13A5146D418EF1751F49E2CACA144AF605B8934F5F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:37.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974BE302747344B90F4ECE2D51DE4576,SHA256=D9E46004C7CAAC5702EA1CBD464B15416C69E98411C596F0E405770712BA757D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.837{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58138-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.837{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58138-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.648{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.633{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58136-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.633{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58136-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.526{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58135-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x8000000000000000272284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:35.526{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58135-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x8000000000000000272311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.923{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2FEA97A34E0124F8A3D2F0018D3E60,SHA256=AB2DF1B32CFAEF0643A6C592C627F8A07BA310A0B24D8E524671E607880E3DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:38.800{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-113MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:38.594{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96F0B7E9EB316EA52B23E4AE69865E0,SHA256=E86E44140D715CC47890956F4D3F890171DEF769D268015C62545599BFAE90A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.329{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:38.313{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:39.802{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:39.597{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA163B45BF9B2B8BB0288829E389434,SHA256=64322DDD8570B7928FF3FDE62D3F32064FCD4568D917393E681B4905DBED2FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.735{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.735{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.689{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.673{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.657{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.610{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A73-6127-0604-00000000F201}4348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.486{80A11F3A-4F83-6127-8F00-00000000F201}45922028C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.470{80A11F3A-4F83-6127-8F00-00000000F201}45922028C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.376{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.376{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000272329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.360{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.360{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.345{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.345{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.298{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.251{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.235{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:39.235{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:36.078{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:40.629{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FAF8634EE5901F1BEA833ADD509F4C,SHA256=A44808C1A10D0808CD011C317ED27B3B0764000FBDB44EE49F0A62C452977EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45277A2FB33028A40F502516ECC1C4B4,SHA256=A2592115FC4C54AFCCE2ABB3C997B7157805AC830C2F0547BAA84C001EF2E689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.267{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B36D389A51AF73EA42BC03217DDD214,SHA256=9205EEDFC7F9C920A7871172D02FFFC34EFA2A9E62CDA8AD33862A0E7307685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:41.645{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B497F874606E0616060F339DB55B9D2E,SHA256=E58A1AF2A57BF00CB2FE52FB0F6A6E90FB3F916F376E86565FB9DC04C24B5E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:41.751{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F067DEC9F9CD9EE2E1A2FB0A9E183608,SHA256=9B5CDBCFDEF22A4BEF69B2B5F3FD0113F0B6BCCD1A63B53E64F3AAC195E4BED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:41.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969EB5C2CBBC0BCE652C7A226BF59F42,SHA256=E5D38DFFF48FADF86115069BDD425C2AB90BCEABFD1EA319317BA7EBD4ABE947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:42.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FC80C4DA7A08B1C36459438763397C,SHA256=181FA91CDA6942FCE00C86C090F304B546D5902D280C3F996056EF909A3824F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:40.694{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:42.392{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C3D6C248D5C047790EF19C33ED8F34,SHA256=2F10382216A9C866490C762B2BDCAB4AF5C29416192C2DF924F31677810D6616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:43.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323E8198DB4B1E6A8315F1F4E068B9D6,SHA256=E42EFD8475624F0ECB7960AF84E7E4371E228E2B795BC842CC561A328A5EF7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:43.407{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737B213111EDDA5C9E22F9DE8F89B21,SHA256=F600F2C217039AE86E0E768676ACB5356DD4713FAC93F89BAD9ECF90E1950D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:43.426{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=440ACAE0D2BDFA977E7C5D5AE75958E3,SHA256=2099CFDB33E3A55F83A3413952B66B642B89CE286F456203775243ABF0127388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.985{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000272357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:44.423{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FBA046EC2992802BA95EC129DD213F,SHA256=CF9E39ACE616E90317944F3C215AD5B37F3A568722008FC25AC7F78BBF994A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:44.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F68245FD1CD1F9F67093A00CACAD59,SHA256=D3A765B8E93A90DDF3057B2DC708B57871FD6760E632BA9A98E2506456D8980E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:41.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.864{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:45.676{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3D4D13A968BAC05C5C627EA4E3E8D9,SHA256=202728C3B07CA54BA8FCE09777A7E50A19968E7A35483F123FFEBE68C710520A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B73209AA873B2A88185F26A43AD215,SHA256=C748176D0EFA190D70C6443C66894E955A2C4DD1F4432FC48E9470954FC573DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.423{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA4842A780203E3AB4B56A7B4445793,SHA256=94C156951D9E09ACF78B1539C1111ABAF05D522A56F31CE7A230DCF959611CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.173{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E93030FB9B4DD4648CCAB335759439A1,SHA256=E0F325C208A5E81AC2F454890244F37D1F28F41D17842F95D6EFC537ADA6768E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F17-6127-0C00-00000000F201}840100C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000272361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.032{80A11F3A-4F82-6127-8800-00000000F201}41201860C:\Windows\system32\sihost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:46.739{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A44025D9584DFA7968325ADE0CE8731,SHA256=DD26BF585DEFA8DAAA62630382C33F837F62427026B1EE74979CD034708C552F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:46.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAE93CA566CD7C1DE7610495D193B55,SHA256=E21AE773EEC7CAF6893D869084AD9B44D598EF3116DB06ECC5A96699EF0CED21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:47.786{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A91E6D0F6108E506C5A02E13468DF5,SHA256=2884FDAFF397AAAB87DB34B8E1B78812650ED6D98F6A18FCD53E6006A177C763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:45.804{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:47.438{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B99B0D8A8669D810A2F8D71F34996F,SHA256=FD67B38FBBBB05D24886A7BA736E5753DE231E78AE9BA4E9E53FA0444E6EE256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:48.817{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52EB33B917358828C85391822AEC83E,SHA256=00E602B8910A13A15BC817AE3CE4974EE04DEC8E857FBB43A9CB2E19005E370B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:48.454{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C6701EA9CEB029FF4232872E5AD3F0,SHA256=BCA4B1E6EFBF073B854350DE7AAF3CBFD60C21B843D4FE94EDD1BBEAD77264C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:46.131{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.548{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.470{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766AA2D22321DDB3D7D7DF97B46069CF,SHA256=A8A34919D82237DC04A828CDD8296653B6EFD8AD34D680D477F6151C761983B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:49.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1205E92944610DAA661D5C132E02F9CB,SHA256=9CA52D59523ED6CAB28E770CD50BBD5DF2158B194ADF7DEDC0120E82BAB2A246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:50.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3BD1CD6B36BCF39FD1CEAD8754BCE,SHA256=B1610DFD98711462823EEA09E161CCEAFD568E24103E060853550C79370F8EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:49.101{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:50.501{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB018999BDF834167FFFE4FF6F6B8C9,SHA256=739FD91E6FA0FDF4917BAFFD4E6D714F775849E7E7C046B9D7ECDABEAF349D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:51.864{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98DB3A3139E11947D4942E0C3D09C97,SHA256=D7DBDD71473389309B2A1C6D53C542D76775A934A933BD98DD1A4A45780D14BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:51.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CB00A1218D6B13D16B75530C6CEB52,SHA256=A33BF73D8054A75BC4278B3E60F9F5B68FAE01B8F32071F75BF4DCA09803B4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:52.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45024C4A9A14692D779315D24B71B3F,SHA256=A060E17CD0F44DDA002732B474FA3A66D2D1FA4113E863B306697332F217AAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:52.516{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095DE2AAE68318BA6123C9BB33DB9DD1,SHA256=CAD2F81578C717055D7C88C28B0159F33F23609D0FB99DC1065B51618713DBF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:51.694{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:53.548{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1865C4AAD3360AA4366BDAC7F2ADD8,SHA256=06CAA957C2E7E396E50C6F9FF9886F56A8FCFBEF8A2F9A156A06F4B70D0E6381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:53.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1327D3EEB9ACE36722C234C28B64F98,SHA256=7746E7840187FC8204579C9107D99EAA546419B2E61D265F549F4F7E4E952B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.926{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.927{D371C250-6A8E-6127-C603-00000000F301}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:54.911{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83CE33C33A426DFC5200E7D4E5B6B99,SHA256=A2EBB026ED7E8A1A9F98D950558B76A0131D231B695320593E337414524761CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:54.563{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A971FDE48152BF2BC157F1F5C92DA3A,SHA256=FDEA598316B803ADDAD108B3ADE642C774DED1C7FA0394F1A5308264EC688362,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:52.006{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91AB0F3D1F7840B7F262883FD532082A,SHA256=CCD5744DFCC1C4DFA465E80408E5E7AACC300D890BB3F5E206B50AC5167F72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=304E45654C312862EE466D76E5C9ADA4,SHA256=C1F2B0A85E0B3B2868C30EAECAD227F37E429A9087A51283FE3488BC7919B4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:55.944{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-113MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:55.581{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FADEB0284B73F5D0523EBED4651EE62,SHA256=EE5FE94F5AA8917F6CAB2C010B6D3A1F9E7475951E1BE90A5EB7E4203611E2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.598{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.599{D371C250-6A8F-6127-C703-00000000F301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.942{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0892733C2C2337B9FF41EBA6B04582,SHA256=C271CE8FF7C34793C063F5B69AA613FB8CE86950EA65E4DEBA7ED883EEBC2CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:56.948{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:56.618{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C31C63927D2AE2883D72DC04C085A6,SHA256=6AFC2CCE889332623A8100B85BBEB07BB4EFEA10385F02D6F80ED81CA99820FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.442{D371C250-6A90-6127-C803-00000000F301}923476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.411{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.270{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.271{D371C250-6A90-6127-C803-00000000F301}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:56.082{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934E486270F31851871ADE0DEF6F794A,SHA256=B9398B1AEBA3DE1DBA70BDA3270E300F8B8B258AE51DED6B4467A7237D8CE716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.973{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F629A59D150D54301CD6FB18C66760,SHA256=3C18B2A4C1AE597BD4F25A2C0A4156BCD46329618930172497B517497576758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD2D8F6CD7AD878E8807BEA5D114772,SHA256=02E66AB5FEC39FCF9984071968CDE8D17A878D866782CD52733DE029DCF13752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.411{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91AB0F3D1F7840B7F262883FD532082A,SHA256=CCD5744DFCC1C4DFA465E80408E5E7AACC300D890BB3F5E206B50AC5167F72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.163{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68A5251EF3E528DBF50F35F4F08B1729,SHA256=EB1794F93CCBC6341175BE85467F6AB4A9123FECD31C094A14A0F13465800B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:58.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D06B9F77CC3FE6F94C400F1B6B4257,SHA256=76AC77E1AD03E218175582CB01D0978FB08BDDD3F17E91DE87275697F4A6C66C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:55.366{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000231429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.598{D371C250-6A92-6127-C903-00000000F301}39282796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.442{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:58.443{D371C250-6A92-6127-C903-00000000F301}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:59.652{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC42B8B31DF646EC55C98E4C1B03FCF,SHA256=967FBFBDE65FEA0CBDA2DD0F3A09D23242310AAE8454E6F5C501A1ADDC34A8FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.723{D371C250-6A93-6127-CA03-00000000F301}26483920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:57.147{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.567{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.568{D371C250-6A93-6127-CA03-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.489{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF291FE1C4F005E0AD01DDB9485D3A28,SHA256=778E6664EE8EBC300166E460D591E29F5B912CC14B61AA92D4E45F960E18B123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:18:59.020{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB1B6107160639D64FFBC93282419C5,SHA256=F00414C4AA0D2C5587F112719B6B7FC4E76653D1A26F2F0D809FD828B9BF17E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:00.667{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD18B3948B498CAB6AAD035FFEEFBF68,SHA256=958A3789102231CAE9F63B00209AABD6736E4D5855DC4CAE84F7ED663AC5E45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.567{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0458849A73DA57238F22508BB0303C15,SHA256=7910C35183379AC0589098F2BB631D6F8A3171E5EAB686815761B73ED7F977D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.536{D371C250-6A94-6127-CB03-00000000F301}5043812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.176{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.178{D371C250-6A94-6127-CB03-00000000F301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:00.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E5FBECD89624A8DC0180372E5F9A0,SHA256=6A2CD423EDF6AB754FA628A17E574BB460A68F190454426B28AD93B109EB0194,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:18:57.595{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:00.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=144BCF100213E9CD4CE3805CB2994FA4,SHA256=F6A985DDDDDF8069BD5C669552130383A459E8FFD20CCE457ABE3674A4B50018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:01.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BCFC912DDF579DFB3398B136E7A5A7,SHA256=286FE14218BA5A587FCE86EB747CE4E73BF710AC0C15FE62BE6529B573EB0D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:01.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA41DDDFB6CB284D3F55DB8B1F58644,SHA256=5FEEA5157F6FC6591F57E39523EB7A6F1BD30A0EB74FCE849C371DAC39E17F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:02.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF71C4A2F6485C685FA3B515E0BA8913,SHA256=5E9DE0E1D43E5E3738507B6143D257A8B78AACB59FBF266C5F368B9FCB07DF90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.098{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.099{D371C250-6A96-6127-CC03-00000000F301}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:02.036{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6138B5BABC6F68B82C62145EA952D9,SHA256=843B8C83A689B96D1DAB80DD048F51C2131CB59B8588B7B0950316759329B337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.698{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EF619387CCA4463E8D5FC6358EF294,SHA256=7D6D44208F47FB8ECAEE46D4D46332974C2EC64C79CE71F558A364D8A7039D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.317{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9B93A1D3C5E32F7F63C3A81ED88DB0,SHA256=2BC3515BB3DA9C41CC386D8E98340339CDBB52575E57B5182370C429A9852D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581E4C6FE496C1E9F11D7ECA201402F7,SHA256=1BB2FC869961E4BDA78010244195F1540BDE712908F50CBF1FCB6799BEE6233C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:03.495{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:04.698{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BFD94B1CA8BFDBC951623D6B91AF03,SHA256=A4D97B1B334453979B2729385DE84D6F06D3539F339F9395F5973CB67EDAD219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:04.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5368EB5CE02105840CF66D24C0E8B7AF,SHA256=B1DE9B40F5CEF140E18E85F0C522BA2C56783F3795DD631E4B8BEFCAE6E3BE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:02.736{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:05.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB2CD364CD84039289BA3DB6FE9E654,SHA256=286E2207654B13AB0D883780CB6D10BAB41359980BE7783510E2A5E14C58DF66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:03.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:05.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B672179309EB4C19CD82A099303B6C3,SHA256=86AAB72150E23EEEEC0076B6471D6C06D66A8A712234C526E96C7383682C17F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:06.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C7D95605F0DBDEA2AEF586FBA747AE,SHA256=9CBA57EFBDCA13717756FDD547306E1AC176328E7AB79EB2A44D3C56EA875ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:06.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FDD9A5E35F7FDB4E4CB7CC53F6C0B6,SHA256=ED69C2DAC6EFC448433E6EFE1C28A88F07C303C6A1F476E9405B69F9C1102F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:07.730{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6138F188E7AFD9B3CC0DB350030AF9E5,SHA256=53B44A5E9A604FDB171D2D3A9CE6FAD1592A6CEDEF3647F2069209B837EA2964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:07.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B966EF08423D3B751CC975E6555E7D9E,SHA256=1B8F3CEC08312DB903F8E97C0697C3DD130AD69B3593BEE66D37B8106DA1CAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:08.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB86AED188FCB21F5EA9CA6CD8682F3,SHA256=EE8BEBB5C6A1FF3C3A29D351483825EA347AF3718F610CEC6EDDFF1E4A665B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:08.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF85A97316B890ED79BEB71A5DF8FE8,SHA256=DF0D6AEA8985595F5684AA459376A230A165EAAC878168B90FACCE5A33E4942B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:09.761{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21CBD8397E17EBF62CD20B552E1F3E9,SHA256=A951A498C93E377A34610EA7379B7524FF8EC4C4C97DBFA34A3C2CFA36C9DC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:09.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81641A44BCEE0E658F3FE4DBD362CBF,SHA256=CB97D745122E2F7473B25E1A1383E77CB1AB858BAFA5989716581E09AABEFBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:10.792{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83EAE88883FA0B9343D808B298ABED,SHA256=0653141D127AE74F0976B948E2315AE3308B9556FD6DE32A3923F700EBEEC1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:10.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB22D44ED477C2C1F2347EDFFACEB30,SHA256=780C64AFF5FE6786C809D75AEF8EEF47C572F30774475512D1D9AF318C617A26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:07.829{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.933{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.934{80A11F3A-6A9F-6127-0704-00000000F201}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:11.808{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE883433D080620D7411C51D388B878D,SHA256=9078BEF2AF51B58E647C3CAD6221007CCFD3208C1CB87F04D97770FDCC3A79BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:09.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:11.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2616CAC1A63546DB0858CA77F082F55A,SHA256=D9DD9E68468847808CF150BD8912DA04CD5616E6AE760F317ABDD8980EDBE38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBA7BCE6109B883650D1314C1BE8DEB9,SHA256=B56D97A37BE1E87903496A32D1D9DF61F21DB96588B420A4591E9A6D8F79EC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ADA37D042399E2FD1DB31178F8A24A5,SHA256=8683E82612FBBACC6D1B13A5146D418EF1751F49E2CACA144AF605B8934F5F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:12.839{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC35DAA467B5F51F7B604E5FB7AF1BB,SHA256=09D75A172179EF08E54C6F394D70822CA9BC1AD5FCFB0516F2794F9F4B982412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:12.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2AE3079C907FAEDFA8108EFF4ACBFB,SHA256=A0AE06F53FA29C07BAD820E7113F53DEBAB44E1EE94C677859FE8297147EE83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F6B060544F5DA635C141819CA050B4,SHA256=B4E94D05C9BD612F5653A35CA2BA129DD583DF82D3778B965476B5D036538DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:13.145{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8149D049791EF8FC3DE1A768C383F59,SHA256=6741BAE3721E706E6F57DAB899C47D260F5CA579EF1C62D0AB4C3EE24EBBF93A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.886{80A11F3A-6AA1-6127-0904-00000000F201}24684784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.558{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.559{80A11F3A-6AA1-6127-0904-00000000F201}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.058{80A11F3A-6AA1-6127-0804-00000000F201}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A140104A1414507F11548B899190F21E,SHA256=24F93FF82041E175C7CE162FF88F3A98C095AB18C82D6C2957F376370287A58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:14.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF87379A16436B82BE0DFCDE22CDB0C,SHA256=27568CACF33A0A46234F9BC7C5FC00C1468DD2D9F157A6DC27A805DC6B33BB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBA7BCE6109B883650D1314C1BE8DEB9,SHA256=B56D97A37BE1E87903496A32D1D9DF61F21DB96588B420A4591E9A6D8F79EC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:15.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2D6E1DF9360D6EC2ACE1F4AD252C9F,SHA256=45CD318EEA700AC700328ACDA8AE2B20CFAC6EB4172AEA160FC6BB0F5C767D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:15.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0639B889700FEC3AD4B0EF1145A83C,SHA256=86469A4883A77470B9B6F4C470EB4E15BC704FB6F31FAA6BDB62387CF3777D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:15.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B2CBBC581AEE4B33B19B3A0BB3FFED,SHA256=0D494A9909E1E14EA5E6005F5C93472EAB0D6BE6584CA276B81CF6812614AD60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:13.751{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000231496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:14.178{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:16.176{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A73462F1435227398E19D7C6A84E8B,SHA256=1C0241AC618A603E4FD9E225DC103AED224A8F307C4F06BF39D1F6DFB3F40D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.839{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.840{80A11F3A-6AA4-6127-0A04-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.079{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58151-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:14.079{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58151-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000272473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:16.339{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:17.270{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF43463ECC5228F34BB32057C2BA01,SHA256=389679170012F337711CFDD5E579ABFAB4ADC8901D5C1E22AD579DD27F544FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=504DAB307024E630FE251C4FF51F75F1,SHA256=53C07C36136F8CD94150AE375888CB6FC003A7D3AEBCD75A068787AAC180AF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.855{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.856{80A11F3A-6AA5-6127-0C04-00000000F201}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.636{80A11F3A-6AA5-6127-0B04-00000000F201}10484504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.357{80A11F3A-6AA5-6127-0B04-00000000F201}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E283A715004A59680313A014D2D1C48,SHA256=17CC7F3D8BC0AFB31E094D6D473C52CE9498478E91FCBC22FAC84E83DDE3AE0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:17.043{80A11F3A-6AA4-6127-0A04-00000000F201}50641076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:18.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A03625AA81B42B97CC32F58A404CDC,SHA256=ABF481E7DBFE5DACFC0BE0F7620527133C58DD9EE4F424BAA5906609577439B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3203A20E4A4C42F00B5F53AF337800EE,SHA256=6450E69688F1B501751706717774F36CB648081214E944F4303C9066F84EF52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FC29279DBE4D1B0AB066ED9B67333B,SHA256=C8CBE0BB027BDBBFFDDE15007A215D33BB9CCB2E1482E9B595D604D666524D67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:18.042{80A11F3A-6AA5-6127-0C04-00000000F201}47563960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:19.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1214519D3537049C4EF4B068404439,SHA256=1CC7ED12C64BB9C69C064098DBD0ABA4E04EEFEB0EEE73F2EC294230978F1347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.511{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.512{80A11F3A-6AA7-6127-0D04-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427498078E2C4DCFFDC11630E2BA182,SHA256=FBC037268EAFC2904CFFE0F80B64A1A20D85724B4A1C894ACFAF5F06C99ED851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:20.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D7EC549BDD567D85BD620F8A36F941,SHA256=3AA9928DC4F3744F78EC4087C81AC85CA95AAD27378C47C3179E2B57C493B9A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:20.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B38B170B32F227AFC1068CB9C5A97A,SHA256=7EB38F7EDD2AF28EC6601617C996258F9516987974572AC779E5B5DCD0706098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:20.120{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20DBC68E3D4DE750AA2CC7C9EB63A45,SHA256=8B7E722A39943244E91133CC7283A94F46C2D506A838ED24C90BF1E53E2F3427,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:19.194{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:21.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11BF6F22AA60F2459AF279AF1FE8F84,SHA256=86A1C4A8BFE07814738780E51A946F5408FDEFB455E56DF3B9A91126ACA019E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:19.785{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:21.151{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED7C16BA5A8C207CA59775161AEA0A7,SHA256=F847E78E0615FB85D857FC442B908F90760E4D6ED7121BD73AC83150BE81624E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:22.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798486A952CA8D94B69CECB0929380BD,SHA256=C6034D37304F08440A5F4127643323566D269AB34CC88EFE2A3BF420541AFF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:22.167{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB15FE853E70726C4C5EA4CBA3ABCFE,SHA256=F2DCF0BCFE1031F831FC8A628846714F6AB2E8617A8A822DC6DF6BBB04A3DF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:23.332{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B256693B8BE2F7E6DD848A994D7A2166,SHA256=5F976774460C6D5E71923DF1CF798258168987ADCEEFA4C9B46996D36E6452F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:23.183{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB33423797E976F6BD3D1EB1D80379B,SHA256=8AD4D083D098487045569C78438D0391EAE34406C304CD95234363BB0A1118DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:24.348{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CDB2E8A216D9056037233F4D11B639,SHA256=DF530856A6ABAE6AAD98B47C58118148E02E8CF4F9021FFAB6D53F08C9AA23DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:24.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7994E3F99FC5004619C728C9CA624E,SHA256=E47B6D957356BFEE9D2EB2AA7E9E83B51CFF95D4209C98F89AB7ABD11D2F681E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:25.348{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C4113A1564279AB0AD20585D01C368,SHA256=4A06C6A08392183FA0E67209D3DA0FF40B39A897DF5529351258483EBAC6CD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:25.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A261C3E369E3C490F6458FB1948047,SHA256=18C7DFD917864B5B6369448D58A4206654C8FC76F1AAE3ABC1A18260E4812F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:24.225{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:26.364{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786C44619BF45ABC5DFA91EA6DDDB6BD,SHA256=83FF37ED6D1F38AC6D2D405CC0B1EBA92B1608E43C6DF1AA01401AFBAD6EB639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:26.245{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A82FBF3B91A02027EF350D38D26FFB6,SHA256=6EE09045FCF5F7F2709C5B377E8A4B098054025C0995044CC1CE5A35E42A4F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:27.379{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85419D3F12EA3B0C28CD9B91F91048C3,SHA256=528E74508F03E471157551E4DAC2FB1D16A5B0CC565BE956B8A46F9B3276EF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:25.814{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:27.261{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974438B66972A6F73E400AA7EB5617C4,SHA256=C37E1477B62D0B297CEF378871E02DA4E74A5B1927FD5684F8315DD5313F4D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:28.292{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5469BDC5022CC6713A80890341168A94,SHA256=4C6A93E66BAA28B8D2FAC9B89B03DCBBDA29234BDF7FBDA65B0BC756D21471DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:28.379{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DC25708F9A9539BE73CFEC6279A5CF,SHA256=DFE54E7E5AEA0649686D499342F4F4179E6EA833DB0EEC05BF025D7F6F662EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:29.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EFAB3CF3A8C5D916F9FE50574C14A2,SHA256=2D2454C806458C0098B259371CE8A095217B60359CA984E991F51CBAB28D4F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:29.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B721BFCBE6C244FF5D91CFF2CF6EE0,SHA256=02DB920A9EB25E8DC03905BF1AB69FDA13F8494B91598B9956157186645E9CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:30.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0503754F390B8504F019E973A54321E8,SHA256=507D796B86A9D432637D52A1117F744BD7F4C282E33E9661922857FBF2336EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:30.354{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A7D4FC91E1930DE1223E1F7856F38C,SHA256=51F505B4CE505336706581DBE9977307AD23997F114B5DF96581CD38D5B49D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:31.395{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D243BBE42404984FACCE35F32A32DC,SHA256=1CCA096301CC8E6D0BE546847E7E1C871CD5C0A1FC8711C5FACEC578B73884EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:31.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507DB8C8160251701708E526F5ADF70B,SHA256=D6749EDB42AB0A7FE93ACBE0B93643946E8ECE5DE5BACBEB38D5AE243B6ACC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:32.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE8E67A4A3E5BFDBCBB14435F816E1,SHA256=340C40FEAE82C9967DA197B36D24FDB2534FDC9EA54DF67F21B7783DFCBDCC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:32.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E69E82B6CDAFE255FFA6CAB1D1B06C,SHA256=61E67E434D8D8C226F4DDB362CB341C615377260E0824410F97067D6AA877EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:33.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6538FCBC0449585922E5B956C6981D,SHA256=2FD0887B8326B6D89039239F356AE671D89CB880DF373A601C6F8DB979D1DAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:33.433{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2CC485BD04C0FE338D26C80544BB7,SHA256=8E2B00A1F7B5E8884512E65121FB4B3F2FA9B53EEA9E0182CA21DD53E49685D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:30.007{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:34.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95AB3702D364301E22F7BD4FB05F97,SHA256=F065DC523D3D309BDD027E14C21EFC1BEA450EB1177D82C7FC71FD8F7B46717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:34.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEC31B9A77487BA4E0BFADEBF5F2C1B,SHA256=0069DA376E11DE9EFE6F08045F795C523C3DE70EA2FF0EBE93E8DB59778BB145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:31.814{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:35.426{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A130905C776D403E7267DC9E74A16D5D,SHA256=617921D4E305D43276EA8AF67C68E2FBF2D5FD2F8FD782D436201AB4A4171EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:35.479{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC81CA238F0E2355B1EE9194470C031,SHA256=CC67F6D7F39CF7A9E3FBB453EAAAD780AEB7FB26898C867D3EAF75553D1DBE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:36.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B81873BA5C5C1B5A7880D79C6F11A3,SHA256=0224663D7F899CF33701814591BA438EFC1A512996FAEB60564C4F2DFF3A31A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:36.457{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6222097CC6F07EEFBAD42AFED8D42111,SHA256=1395C7C1BB2FB6C022176B715D733692D9663B7F54D544EE014EA3CE4A4C9232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:37.589{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5497B71F21165699A496C38FAA0B1E,SHA256=FA3104410CA375B2646A96AE05FDDD05617D749F8848D617E1F47C15DB1677F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:37.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E27D279BD6C56A645E2CD340D26F10C,SHA256=002B39A36B116960F3C9D10FC38E79BFD433F8F24BA7C0170CDFBEDB001EC1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:38.520{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592245C71FD8C64F242745C7BC554D1,SHA256=DA734F96505C4A675CF350B9EAE133F14801AAB5B9EC1285D7F2415E2F15DEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:38.604{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360A441DE670B3E147E375A90399D1D7,SHA256=45460F808D670C41CC9E26CE716FBFF5845EFDC132C33C50B5CDCE59882403A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:39.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372B900BD6BDD9FB6B361932DF149DA9,SHA256=D60C54280A6E0517D71D23C4B0499497F3DC9E8758B5E7E245CC67F6650154CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:39.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E46B0FD649EF4AFE66E2D787D28021,SHA256=C13167E5F22B7AF1E5457C31FB496E6E82AD81F4F3F15D9300356B41135992C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:36.038{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:40.599{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FFCB6739033CA09C3FAF2A0D8EA79C,SHA256=C4FAD6CF1C52F11B34CE52A6EBD155C2CA91C9BF45090148C4D8EEE02DF62166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:40.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C6DB8E4411DB1123FD7DC55FE7A84C,SHA256=A04CE4DBCC9C981A10ED9A842185C6FE369A37694F6798DBBDA5C0077D041B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:40.320{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-114MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:37.798{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:41.651{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430741062A0190BBCED515DAA449D7EC,SHA256=4D52B348C0227F42D94D6967158617F9D0D8730383C9296AB2CC79BC4A3EE522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.706{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ABFAEB287659FCB0EAFE85BDCE374D,SHA256=149FD3B64C08CF889FD5E0597923196808F8200607AD0DD455CF830CF665394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.334{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:42.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6482FF5309CAE7FCF3C326E9E2D1D4BE,SHA256=1356D31CDC7EE1169D5E21E1DC2213A7F5B460EE49790DF5E10CF71ED6028277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:42.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA5D85A2C17E1903F706448200E6A76,SHA256=88516C761E59DEB4FBC8527F2840548D0EAE40171338E9AB770059BA1B00502A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:43.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF160D7C2F1387F1F1B352CC4312562,SHA256=DC373107FDAEB2BFB72EDFC44773E53915A37780AE4AD00F289A7EE30E658DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:43.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165C82EF409BD54CE67D6FE113A8A292,SHA256=99207E5907C5986417120664A205A42B1F6EA436FBDE3BF8E84994B05A375E74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:41.225{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:43.426{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B6EC134EB033B348EBD48BB69F5D523,SHA256=26309029C62EDD7769056E00F7D767D8E97745784BDF071F79CE3DDB443298F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:44.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569087164A17081ACE1D0BA48D22D19F,SHA256=5A1CF33DA87B478DCD577D2702D3F4691B989ECE4141DFDCECF5ACC69631A018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:44.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B9DDA786204AC99282260E0265F56B,SHA256=2D71382F8581074A30E3F4F425C630F0F923E111DD20294E136E7A22FC722464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:45.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FB43EF7CDBF6000DF8A45501E8C4F9,SHA256=31063A93EE754B938F654F3B6A042765B02515A4532D8AD7495A8887372F4521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:45.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C86BCD97C1CC3100969FDCA848864AA,SHA256=341A9D11F89EC1A8BCE524E7EF02C7A154A117DB7C911401B3C7B3DE75A822F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:43.630{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:45.182{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2FA36E0756B3350F84BD743B7730FC8B,SHA256=A48A48D41EB61C6763D1F304405C49CB88D7A4017F0C461AC52E753007928840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:46.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4458C3324DDDC64B73C37AC2950E992E,SHA256=3B734DDD085E0A322B240D5A62A6587DDFFB426F9F4C84558354B2079B3056D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:46.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C2D8DBC7174A59A3109F2914A597C8,SHA256=4E6F98A7CB8B65E429CC7DFBD054C1B41F47C4A85887C77DE5F8493A3E29094A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:47.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FCBCFA45E93DE111B23F0850A2930F,SHA256=AD04451DBAE2CF3AAEC3863EBB88FEA45C850F13DB74BE5263E1A871951E2E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:47.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42C875C93311420FE20D06EEFBBAF86,SHA256=BFD12026ABA0A04EAF2E6620B8DD1B2B60B31B9E08D10E0B734A95251472F5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:48.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF978FD9F5E91745BF2D7E0CAE8DA2BA,SHA256=02DE7F1D2576E148BA515F8CA52B9644C3F39A4D852C090A9F8DF30783EA9865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:48.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D8CF4A1AB1B2111E143E27D8DC0A13,SHA256=4968ECE80AC7B75D136630DBE8ACAA1595F748C1B19F371F49D941698952A480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FE7AA17657FC62DBE6695F4980720C,SHA256=27515947EDE52314305AEAC08CDB1CC52EC65CEA92887042FE7B3CA59AF3C8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:49.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354C4280E599D939AFC70165256DBBD0,SHA256=4AFAF5A19C160127C2B7CA1108466E537F9470D600D2282B102AD2D8D725E802,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:47.116{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.573{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:50.995{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BBE83E48D50BF0B02DB58BD81C7FC4,SHA256=1DE1BEC0A62455AEFCC9CA04A7BDFEF3DEC8C8CEE4B8737C7ADDC474DE60DED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:50.707{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3663959AD47D46B36B926BE3510CF2A9,SHA256=ECE5A87224B35878728A6B55211DEDE3E414F3FFBEBE7D2C452A9EBBE6C75E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:51.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED2B838331B79595FE1540417592DA,SHA256=8E38CD12852E560EF326DD9846BD7DBDD346F3BED5D10D4A98FA56538A66AD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.657{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:49.126{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:52.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D91BC4C09662EF98899344F47201708,SHA256=0EDEA5908D8D99E9F630BE4A2E59F65ABB7126539B1877BB1849C3D7BDFDC189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:52.011{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2942427841E9DE20FE14C058CA32499,SHA256=8B5A3B8B233BCDC8F485980577479E7D2650952F9E9978C6841EF228AC8EC06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:53.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD52DEE7E6A2B1A56AD21CB3642B501,SHA256=7049FBA3BE5C5E2437199183DF5A6B87D28DA44BFB148ED9C6CD545E49549C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:53.042{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57CE7C039C1145AC85F7B5B4A5124BD,SHA256=5342F689A92B0EFC9689551803F0136F74890615DC7C3DD11381DC5A385717EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.848{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.849{D371C250-6ACA-6127-CD03-00000000F301}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:54.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9B3E07D8A8AAAFB8BCCC8EEC3051CC,SHA256=C55CC45296DE7E62C17A69BB8EE993109E1B74C261D82E64CE5BFEECAD9F3F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:54.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9614ED9DB2D585B2201F514A6C52348E,SHA256=36B04FD180A5ACE7B178DFC5044719F24B92BFEBF2E4CC4EBE6B8432FD3A6CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B42DB745F29E1C482364D64B5AF19A9,SHA256=70CEF024696A1BFDCB52B1EB37988FC19290A21CA596218DF6B24643440A0584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16ABDA13FF282B9F376D3ABBD5484F1A,SHA256=56877BF2B7FC1DCDFD37998308CFA4FACC73D9FC7F6A81CE81CB7810C09F04A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B11C494B2BDE5C70B3CE520BAEA71BA,SHA256=D6E9DD2D3451B9B4D639D00FAC7A8120D57B067849595D021AE6F8461C7BF955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:55.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE533C2435D6A9B04032AE9F12938B7,SHA256=6E44EB463749B29DA2F90F314B156C6797D4BD70750FB481C9D601FD585FA6C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:53.132{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.520{D371C250-6ACB-6127-CE03-00000000F301}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000231557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.004{D371C250-6ACA-6127-CD03-00000000F301}32762044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD75AB612F48D669CDD249598B227A8D,SHA256=15048C335EA712A254567C768123C5DF5F8A291C87937C6728BA328C28A2B9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:54.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:56.073{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ECA603AC426EA6C38E9CA3EE2788A5,SHA256=B42112C0D422E3301EE7968F3321813B477923D78739DC0D14BAC871088EB851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.426{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:56.192{D371C250-6ACC-6127-CF03-00000000F301}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:55.382{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:57.191{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B42DB745F29E1C482364D64B5AF19A9,SHA256=70CEF024696A1BFDCB52B1EB37988FC19290A21CA596218DF6B24643440A0584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:57.483{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-114MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:57.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC06A00469DF966A60EF9C467BA3923E,SHA256=EC9AF60FE0AAC69E6EEFC9B66217B73803DECD5778D4DAB94D036B2C2A7FB084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.551{D371C250-6ACE-6127-D003-00000000F301}30401972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.363{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.364{D371C250-6ACE-6127-D003-00000000F301}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:58.051{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2C6003F38F1F2A64D691D9ABBBBE07,SHA256=4E139A4B7EC00330747D57ACA0B5F18D3617F32AE5BF7BC56028A4451C22EF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:58.496{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:58.104{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C273682FCFCCC5EB7023CF9B447E530,SHA256=04777E54DEDEAF40A24D172734E160E5D599C9D3E16A38E1A95CD4CDF05E9DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.645{D371C250-6ACF-6127-D103-00000000F301}19883592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.504{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.506{D371C250-6ACF-6127-D103-00000000F301}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.363{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A736596333044DF1A55217AB1EF3B8E2,SHA256=163B417B5626D911226531C31A64E1378E49664A47999DCAC1BE007B21A51A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4311C6169AB265CA2D603B3D53BC26,SHA256=5F1FFFE6D14E85C1162FF38C045664F82D50D06473CC00107AD6021B82074891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:59.106{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F04FD0E0B9EC5BC9B1F350F642D559,SHA256=CB9A7786904315C8D279BC5A5853512E1F567D72622FB21D93B26AAA4A4BCD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:00.106{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA7F0CBEC59F26BFDF31592CB8F6A0A,SHA256=5FF5E8DCCF78D70D834E00965AAD2B7BEA7E59B6436FFF9A0E2D030015E64C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FFD20C66F5E38667739CD3309FCD74,SHA256=1F7BC90C00FEF5E73B3228A8B37E9238CEB492EC2ED6B6F11C77450C5515A02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.332{D371C250-6AD0-6127-D203-00000000F301}96744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.176{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.177{D371C250-6AD0-6127-D203-00000000F301}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:00.129{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FAB5A6E21C558A0A118606AF5606B2,SHA256=8630DB45F9C21688DACD6047301D038FAC8FEE8C57118870A52AC39C5C1D554E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:19:59.117{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:01.238{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE196B4E312ABD3EC306337F78BE1D60,SHA256=0FB1682852B7A5D331614A5C316624650A8F3D284370C80DD5DC7A08D158F6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:19:59.769{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:01.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCEC9E090096018C722ED41D7462190,SHA256=C0B50EEA5435B15CC849C4C05169ED1C644518B178882B68FA03A50776A438C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.270{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F8574C2F76EB0CCB3F46FA90C3F288,SHA256=AA1FA0955B5E64F8752D1746AF9CD8C5156F6085CCF73B3BBFC936FC89786D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:02.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F425F9D1B831FF23EBEEB58165C5DBC,SHA256=C0C9B610306BB251CE27C92BC23EFC56E9BE48B0D5F5888BD9EDE9D8D059AAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.098{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:02.099{D371C250-6AD2-6127-D303-00000000F301}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:03.285{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D1EDF0B803E4A38C18BAC9BA169395,SHA256=CEC3646E98A9FF3B563E629F7F86F22C87C49C22F8F86992ABF80CDE6FADB05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:03.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036E50A51F447613BC2C71A41C2AB83A,SHA256=25B7B0631B5E10BE85127DE0BCD3280A99449FC6F6A1BC117D741E76A5F55A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:03.098{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689EFF301F0ABD32173BD78D0F0FCA38,SHA256=F270C2F2785A326F819993A4B9EF101790D376F689AF8D963C23A4D5D09438AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:04.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32921D48D63B13D28C55BE497D546065,SHA256=8E33CFBBD34276FC3FD263CCA8D02820588A915BB75EA26E3ABD593431FCAA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:04.301{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4701A35FD42D30871DE9F4C61CD9FB5,SHA256=2FE8200EF15BC404AFA3DA513B5A63FBA4264C2A29FC26D1E14DAEF741083762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:05.215{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D434C75B694CF89D7D8B741E9D4C5191,SHA256=6876AE0227DAFFA6926AA43ACD1B1C114D448ADC34B5F56CE7A7805D9CE1A58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:05.301{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0202CB60F52F69C3A8941A234F4F18B,SHA256=141B7EFFE388C92730D50036A3925AE41D3484291D1EC36BC71FCC542271F376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:04.179{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:06.363{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039ABC350E41C5ACDF16275B3EF171DD,SHA256=C8F8B0113DAAF8FD03ECB572A22EB6C15AC9678A2491F786CF43EDC2C96C4629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:06.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AF4444B52A7E77679ED18B9E998119,SHA256=4A08C4544D5B9B452744C2331924D9BB760092FDA65B69D42683D11216E3A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:07.410{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B9A3C4D78956FB98EEAD2E5D97F79D,SHA256=ED6F1445920F04FF05D6FDE096DBE94E5CEA32C34C0D798A9CEBCBDAC28BE2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:05.690{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:07.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676793251AEB64F83143223334270667,SHA256=020F86CA2548D22AE8778A622928174D5D54B101E4D74036326F8A73BEDFC2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:08.441{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE9FBBF344FC424CB27DFC71A842C69,SHA256=3535E844A00B699E60E208A006F46EF9FC3C42E1230D5810E594B70F0A639558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:08.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EF77DFF11D00C3382C172118C12D6B,SHA256=BC5EC61BDAAB7D06713F9036FDF58DB1DF2D5ADC1397F7E01EDDF4CA787EC631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:09.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F69D00FBFB62A1D3F43685936FB4AE2,SHA256=D765D2FDF3C4A40D271079B43E169C8CE036B4B002C459FF0C57421C0697FE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:09.441{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1FDD1B31846CC32394B9ADDE3BE59B,SHA256=A84A38F7B60A6C8E574D785AF430BFD389C2684190EB8A836D5A9A90DE3CEF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:10.473{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDA33E728E49F4FE5B2A0B191C0E81A,SHA256=5076DF9BBB3BF2588A158ECDEE6A87E3A629E59ABAD9B2D1472D5CB3D8649FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:10.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08252741B3DF18300F7413BCCAC2249B,SHA256=3F5FCE6D0D10B6C3EAB89059238F5D401E0E40188D1981BE40D4579F20C280A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:11.488{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781CA7483FB67103B916159EA97DCE8B,SHA256=37EEF157398D8A4A45D3234D95F06DCFA9D7FB9BB365605F81EA7EF21737FE25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.934{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.935{80A11F3A-6ADB-6127-0E04-00000000F201}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:11.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6E2BB1A341E4978B8E296CAB53A7BE,SHA256=139BE739111D16ED9251F78F7E009ED9B8535C38D9C3705E0A759CADD713854C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:12.488{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A437CD282CF7C975C6D9C2B07F9A3B57,SHA256=32D40A57A3408DD6F82B26CCA412D0B7F7E2E3EB0656DE855E1683BE3809ABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05AAAAEFB718FDC5A559FAFFDE48EB0,SHA256=62D8C15E6DB1AF17E1B406523B3852EDD975BA9E78BDD9C56D4223368748E601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFEFD00E922EA23BD491D771C92BB9F4,SHA256=BB7826F9CE68EF3EC09609D3FCE83788EF2320A85D5CF42D0199CDEBC434E1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:12.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC7A87BFF2EFF827671EE74F5C7289,SHA256=6E3ACBA4BADF3B065D4DB85FF6861401208CB613010C988C1071F944CC274453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:13.504{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520FCFC41663130FBA5E297CBA87DA55,SHA256=05F08179295276C9F998F6CD09E09B6CEBF5B1E7B54F939B078D9E8BFF187387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.559{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.560{80A11F3A-6ADD-6127-1004-00000000F201}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.403{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DF9BC086355FCA650F1E9E83367CC6,SHA256=1BF3277A03B1ACB87E6A08350648AD06DCCF26C9BF219C2B0A6F22DE2C8E3976,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:09.976{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.293{80A11F3A-6ADD-6127-0F04-00000000F201}40401160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000272601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:10.799{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.059{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:13.060{80A11F3A-6ADD-6127-0F04-00000000F201}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:14.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47320C1A865FD64E5A2E20F6D604DBCB,SHA256=B636AF15A24F3B90DAEAF5A06E6B9536F1E7935FB14281CE3B9F3E7138150F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C15F69A4D260973D97BAD5F81EE5943,SHA256=D63D68B469F9B41C119606A5F894ECAD86B5015B446694624C8F6491D4BB1F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05AAAAEFB718FDC5A559FAFFDE48EB0,SHA256=62D8C15E6DB1AF17E1B406523B3852EDD975BA9E78BDD9C56D4223368748E601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:15.535{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9648F11D05796E7AEA375949A5860A,SHA256=62B76391B07817EB9981D57FD7579A615F1CBB9595E2FFB5485EAA347757D629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:15.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE34F0322038C4F65CA21D80A424458,SHA256=1A7730EA81B84ECE1E2A46639C39406A0D46C5EF442A057A3D4B701B39196AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:15.450{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E6BBD3DF0A9313E1D6B9F29C85A498,SHA256=4370110C5FECF28B861710E864A9D61A51F4996F7D90AF259B9FD950117C1BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:16.551{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66729590FC48926A86BD0199B346EEE3,SHA256=2F433F2945586E9E61E4C68D879E630D550B57D6427FFC64536AA393C215E2CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.825{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.826{80A11F3A-6AE0-6127-1104-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.497{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9ED189AD78A01FF11A9739B10BF153,SHA256=F7AA99116022A1C57432450726F44A4577C7A5BC06BE07F7E3478D94A3C037A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.081{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58163-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:14.081{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58163-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000231672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:17.582{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF94C3000D34D7C73BAEB8D096F9847,SHA256=E278E568782E90F02126983444F733BFFD570808EA6FF5CCCB195B7487C2749B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA658EB658E0D5B7EF9210E89E1502B5,SHA256=6A06C3B052846AF9085C494D370B3BE94AA1AFBE93C487893D6491C03225DED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.840{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.841{80A11F3A-6AE1-6127-1304-00000000F201}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.606{80A11F3A-6AE1-6127-1204-00000000F201}16323652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.512{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66C430BBB60702566D4E569442CBE91,SHA256=15FBB63EFD5F84FA889ACDCC5651A68FEA58A90C1B41EFD618F5E958C428E102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.340{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.341{80A11F3A-6AE1-6127-1204-00000000F201}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.075{80A11F3A-6AE0-6127-1104-00000000F201}32244688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:18.629{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5242B9CDD83B78D74BC9E23FC80990DC,SHA256=1A2FF86D17908681DD61C155615CA45A3957BD5E4CE3D092326616514A43BBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:18.887{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6FF8CE273C4702ED6E723727ADB878,SHA256=210D5054C6ED761C83D9320FB6427A14DAB12685E306131CF4FFA5413908E8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:18.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A92D8E7BDE9246BB93C6E3872EC9DF,SHA256=57F6FD2F6D153AF63423151A214F841312F94238231B5B6D37576AAA1BBDE6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:15.085{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:17.996{80A11F3A-6AE1-6127-1304-00000000F201}27643172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:19.691{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A52D8092A6CC5050110BE2C6AA5ED6,SHA256=7F4AFB3185E5E384DDDC7C573BC840165B8096CB49C08F2AEAB9463D1210EEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.637{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5596581DD20EA6C4F5BB44AFC01C4FAB,SHA256=1486EA5F1142E5801E2EE9D27CED3A80A1217609B084ED11E09E96045075D8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:19.513{80A11F3A-6AE3-6127-1404-00000000F201}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:16.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:20.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10324D3FADB983AEC61C24BF40CA282,SHA256=949470FEF0E7D432E429CF9E6D80390C6E329DC7AB4E01E5F3A31A1655F6FBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:20.871{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E902D1E8D1C3393AF902239091ACD443,SHA256=4800BACDCFABDB9079C27C85AC58762E92AFBC91C5231A375F1823BD384C2ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:20.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A92330E7A59B2DCA7EBB563F6DC5A584,SHA256=04146AC29FF01F35A2437750D1510AEFBACD4D2A8DD7EF8D94DBC282A24855DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:21.723{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529BC289A8ABDC85E647BD8010B11E88,SHA256=C83C70CD8E534774B3790C489BFDDAF531CF4173B6076B0D3F4961701233BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:21.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B093D17314F90BE3CB5A88E9973B12,SHA256=DF3BA944B0DAA034E3AE1F17EBA6E54D5A330BCC6203C45896C74A044D8D7EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:22.754{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D777990AF335CAB8766A9BF4F6EAFA4,SHA256=C163A5B717FB6E76309504836E2303E10639544902C31A2D385BB634B6D9CEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:22.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9086296F6C10361E36B6EAC8130A8EE,SHA256=DC3D9F68642C0C6372CCF755C16B30BBEA7CD9FCE0ABF3309651638B37044D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:20.101{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:23.981{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBA9596FD91C08BD2F35B27B3570A86,SHA256=25376B9CA3ACE3C4B789C7C5F24440714772C6151E601BCAEE6469920503C45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:23.785{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA423946115AC8F90733EA2F933EF6C,SHA256=2C628749CD67B0489FA89191298892F4B0A2B0B7AF4FDBAA2E2B340A66600C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:24.801{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825760FBB4585BFFD4DB267F4252544D,SHA256=1C9316EC4A16FC34048ED957D30DA11BE31749489665283A903C5AD062DBCF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:24.981{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7839EE4C1D6E3691B7306C2CAB6577,SHA256=574D905CAF2A7FF692F2A5B0A215327160FBFF145AF70A793C371A0C20E63B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:22.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:25.832{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30069B25B72C2A3B0A16E0EF31EAE0A7,SHA256=9FB837276AEBBD79698711EB359DCC7D82585CE5E5DA9AFEAD3C1B8172FB45A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:26.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86463F77BE497CDAE5D4A50F3EAF7715,SHA256=3019697FD5F5E8E40D7289FC352118136996D7589CA8ED23BD2A0E35E7911CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:26.043{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F297408623FBC9FFDA228A8658DC66,SHA256=D3B31D9D8D0061A0D5334022FE48F3AEA303228C524632586836A4E192E2E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:27.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED27903576A60AD3C6D509ACEA3CF9,SHA256=0B687D66893A8B0906F39601040A7AB1441758198ADCD6249D3E2E28B5AC3621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:27.043{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32C43CC17407AB7CCC745B081EDC557,SHA256=24BFA1D23DD3483808AB5FBE1F4B3F6A618DB1CA420A1D8332BA62E23E73ED74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:28.879{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2877D2FE3873A80E59336ED4B7E1BC34,SHA256=3C573110A5C64A3A5FE22894F0CF0396F568F3E702B3A9F922C63FCA51B617A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:28.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E34CEF93B940FD54EE87CC3723EFAB,SHA256=90A33CA3D3E6F4079AFA732AAE6C10937BD2F3FDB7A06C0923B8FE0C2FC0E046,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:26.023{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:29.941{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485C4186F852785C6123084A68497C1A,SHA256=69A258C22B13F2422DDA3D68FF5730E3CBA3B44F8ED8A18BDC323EAD090FE3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:29.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2140EDF707BAD7842C6711C4FB58EDE,SHA256=D6EF216F0B22B52CD20DF22534F345F4E09B58DA4BEA368905E1CF8C6F64BF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:30.957{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD925D5A903D3343DE49D5887F75253,SHA256=4328B5077406CEF6C43555C8D3F025D428159C1AE6C248AEAE04266B667B3979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:28.674{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:30.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2D2A6BB2C7154B1D39883E06B154EC,SHA256=97627C07296F349E8ECF5B7F699703A12384261C1C44A97CB32FEF9B8F9AA093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:31.957{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F922F78A4B6343D7255216DEAD75E4,SHA256=8450E07665C1251C0210419C360C4EBAC4A2DDAF11A256A1A22C6EB0BD74686A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:31.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028AF9076C4D11EFD82ABF8ED959B9B0,SHA256=7B5AD3772CC481901667BAAE64134EB6152B60F5C1B3F33E44A860FD1E0F33DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:32.988{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505EC63C7DCAAC8A88ABF4EEAB97871,SHA256=AB0DC4730A3334C1CEEBFCC40DB307AA1779B83265CC7BB4F5642780AC6D28FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:32.325{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420202613180AFF93EA1CAAC05737867,SHA256=BA9974548DFAA25863F817E293FFCB4C256A17735DC83F103E38D08F38325827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:33.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08338B8DE442870E7F150E910493DFF,SHA256=FC4E9F7A08E6987AEF2FA983DBD5D08347AA5B6E66A5F29A96D99C00272E4C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:31.023{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:34.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F69386C6305C73FBD897B65282A60,SHA256=ED6ABC4F1024DF6A6B9C44DE855942484D2E804076D48A0614DDBBCABC9B8B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:34.020{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DA3D0D9EF7BCC91C8638194F080F2B,SHA256=B159CA4FD356279C98D3437CE77976C6F022A93E3D3C94FADFB48CD3FB127631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:35.035{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D23379DB517FDCF05467B36969FF6,SHA256=0AD5B82DEF5BAEBBB190C8FE11D2A284F1A82DFAB3A5928B2E522B3808127D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:35.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E16D6ABCEF9E19D8865808786CBAE1,SHA256=DB4B76401C92DED9B6B8219DA5CAE9A605FFF518DFD79B67B47058FB9C47656F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:36.066{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD33DA0EB498C78C3DDAAD5396312B29,SHA256=8AB803F74A88856BCCE05D6C3233280F877F41C883DCB7D3454B7B056C696619,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:34.721{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:36.403{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA317825E2296B1768F41C33B0DAE3F0,SHA256=6F94A9EC3265FBEC871DDEE997DD47B22D2EAF06C32494E13BF09D9769BEC764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:37.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D208FD9C484B6E3EBF00319310413C6,SHA256=04221B8DD50BC3C4494220EAAD45C72635B9C7CA245727D70B9D642F360ADBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:37.066{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF71DB2FD1CA43403509FE936F8477DF,SHA256=91F4295AAA38864ECF57160BFB1BD9EE85D6351598A0A29C4B4DDAE4D4271F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:38.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D1774DE84E720568F9A77527D9BD05,SHA256=96E7E58C3EA65E7E4F57AC457BF6561D257825C24F283F8BDE0F8EBF1FA051CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:36.226{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:38.113{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6E5C95A2E6E4DA36D25A8BC87E55CE,SHA256=ECDDEE12DA92CBF9D04D22C3693E6246AA70D5E0D6CDE989D5983D1E167FF9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:39.129{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A79D644819FA5BB156FA72DF843C6C,SHA256=B8367E9FC28398ECF5DB5E1DC5D67E6384CAA8CF001EA36F639E4188C87CED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:39.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059BF25F179647A1B40921BCB63125DB,SHA256=D26B4403698669B4F8B6ABAB15B34526023B389942B42E5F5E1FCB8F08021013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:40.144{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798EA197B4FBF3588054670374ED6E9E,SHA256=770B1A46A87E2C54D374BBAFBAA4957721297015B4713103B50A868B8E6AB52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:40.465{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EFA43FC20CCB9F3C920328CA07B8C0,SHA256=F500C09CD6F2A57701BC97F4E08BA61D897575A627C6838F64F2369049EEB2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:41.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417AB81BDC140BE311D61ADF89D2E370,SHA256=A85C465E9310F7E9FE1C1EAD70F7407DF5C472B9429D915AE3345DE123A3421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:41.851{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-115MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:41.160{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE39A7466891E60948158913F3B5671B,SHA256=B220A2D5D439F65B0B79C0C56337424CBDC9CEB8C39062E2DAA71B7E0B6FF7AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:40.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:42.574{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E14E442B24D775B898A1FA248C407F,SHA256=32346C1DA1ED998FFB3B2621AD1CCE6E8F885BCFE7FE7965C93A1ED84CD4370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.865{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.177{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352E3DE4E98872FE7043CDE84047DA54,SHA256=B324A817E78DC8222DF5E34A445103B2EDD6C839BCBCF549FCE41A56D2A4FB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:43.590{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56671061F73D9EF1646D1947B1F4C7E0,SHA256=EFEB360AF9EB42E881CEDD7494C1D56F143301169EBD7A0E8799205BDD809907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:43.428{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4A392ECEC9C7C6104DCF376B04FC2E91,SHA256=B8CFA3613F7A897F98DC3E3C78B90B4FE9F5EECF2960E1815A0AEB09AB0CE545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:43.222{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32D271C94117A80A6C1C76F73B937FA,SHA256=FDB3E1762286C47CFD5E1F7DB13C2CDBC1949CB4A8B54F0A3667E7BF7D445556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:44.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C5AA420C0E5781FDCFD50DC7A4B5F1,SHA256=221167F9677A7802897B8C4AF4B96EB29851704C92C98B536BDCCCC79D4FD875,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:42.054{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:44.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E80C9E8264E4C781F92C22FA32C0FC,SHA256=8849FA95FA3CEBEF1A3708501F624B760043ED8F29BF164F9667C0683DEC3A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A590C64ED64714F433AD28975ED514,SHA256=768494F49084CC90F4B343EB65939E33D3342A5DB0F681F7A533537D4195284B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:45.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61754EC338704A5B556E2648C45A13A,SHA256=005C2427086EC4FBB5EBDA6132A176C8E0E0E96BD83D0D3B52DE9E01FBB92FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.184{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF253C00207B59D6B075578026A5778F,SHA256=D05A734020B1D341138CFD02DD6D527DB2843EC2F8BF7B4815CB8B7570761ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:46.637{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DDE0B84657916A17404AE4908DA89,SHA256=2C3B9A5E97B2942422467C627FD4A921989C37326FEC25F2E5196F366B770AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:46.303{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A9A2B0E8C9500B4132F6D9BDE07AB2,SHA256=A7A23B1F2AF2E61466C0F9883F34C58008D65F03C15C50C2247AAC7D05DB56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:47.684{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD654C9D94FD4C9327306409076FEAA8,SHA256=E27FDB53ADF4F8AA13F3DF9E55700F455A0BB4B0B2B166B56791128C1A8C9BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:47.303{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB93214CAB5C3FC20EEBAA83D7BA2F8,SHA256=287648FBFDC2C32A65785CA5927C14BDFD8C1C644A18B6855E0263C5C2A53D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:48.699{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C521AAFCC868A045A52C4D9D14EE19,SHA256=9E837726D7DE85710CA8B33B4605866D1406D005912CBE370DC07238A819E105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:48.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5550B67A9B8EB844528830D05251B2,SHA256=3C5E971C0786B625551E1A2916A1DBC54CC295A881562C232EE651ECFFD5FF7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:45.722{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394D0472A04B179CF3BA4FC5EC5DB041,SHA256=DE16BAA34B163328B879F73E4414E1E37C3D0B790A45E0E603880FBEB4207553,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:47.134{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:49.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67FDFA8BE6B46B9856F12C17FE6E3DF,SHA256=F93CA461C68FEB1EC2619A38B4E3910AC4AED29C9D47251AA0C8C9008D433D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.590{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:50.778{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F248DC63859249C1269A879DD725DE8,SHA256=328B44D4267161DC1E59624D31A4E5156A3B36A4E681FC09FE3858344FB0D9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:50.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43F9920909DE0DB657E54BB429FECC0,SHA256=FFC50EED60661F3083CAA2D16051B44DA707DFD0D373F0051CA1FD7B01A2CDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:51.793{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F63478435281C0A1DAA327B9EE1CDBA,SHA256=0749683963A5A166D3E8E15D6C762DAD0B966473D7A770662452037941A93808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:51.350{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5794A7893C493F1A23E246433EB64F1E,SHA256=4C02E9A8FF9B312457D7EE502BDA0036AF275880AFA388FFEE5E674C6582E5FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:49.143{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:52.809{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331BD078234AB5AD7C97F74FC9F8119A,SHA256=270239623F46C5D1CEF77E9C3C0814AD0C95644290CF6C0EBDF9DDE7391D0ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:52.365{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A31B74A7B24CC2F5B194C3EFA5167F,SHA256=3A5F14E141CA20DBAB39C289F5EC35066A0021B406C507D56096BFCC9EFB71CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:53.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F7CFC01FF8792A263C1414D0FA3B59,SHA256=E7211A5F46839BC58F060622B32A62BA7950E1C733196856F87B863353C114D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:53.381{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8834AF88D6F235124D28BF9E9BCA19FB,SHA256=16A53189D6B86AE0EFE86CDA8575DCD9886330A22A951FF597EFCFB4F99D37A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:54.903{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CACA9BA0C0B1BC4F7D71F53D9ACFF3,SHA256=1A55F7C32507776957EA3CF9798C41F3B0D25838D817CF2071A3D0DB30753E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.725{D371C250-6B06-6127-D403-00000000F301}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:54.412{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A259F937CF9CCC5C4ACBA34E7040573F,SHA256=539BD0CC7072D935F49B7A68BF3D2D1F86D647FC49E400621964F131CFF14F28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:51.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:55.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25485689E0E803B15D9A9253F5A39783,SHA256=1C2FF951D05B28E1EA82244DD77B8ABBABAAECAF7C0A5E049EA3C7DFF3161B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:52.181{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0972DA0A7DECEE61048EE4D0A9A1BF3F,SHA256=723755BA725194D82AE1CCEFAE4BE4F9C3D3F7D7421B47D0680478D266021E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48767A275F0BF742F44B0E97F3B3A170,SHA256=3EE7D3D4C7F62E0DF135D0E8B67029E2DF9891EB4C944635E46FAC6C626DE34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.506{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C2E905829120E2AB17848417E81905,SHA256=06E78C7E5AE2280FBEDFFA413966B7CC216E29A8411185BA84B7C4C53872BF6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.396{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.397{D371C250-6B07-6127-D503-00000000F301}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:56.949{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FA15F21FDF93AF81B8583BC9682C4F,SHA256=AEF66C4437E7F23760B1FF296F2A2CA4336EC3A72AC9794CFE1D55EB4491870E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.740{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA5BE5D6FC3EE5268D4A863F3DC4915,SHA256=688C40188A15B8AFEBD66D04824D68C2F242CFFBA7F85EAA09246C5A431D2B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.443{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.225{D371C250-6B08-6127-D603-00000000F301}37843820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.068{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:56.069{D371C250-6B08-6127-D603-00000000F301}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:57.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19408359E9A7434668D60112C037F453,SHA256=E9AE981DDFCC432B2A8DF2AC3DE13BE3D2145A9910CAD6F00E1F56EF69F4E804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:57.771{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C69ACF0AEECAC5EE3B6C6F7D7E50504,SHA256=B98D1C289C5EE80151257DE1DFC3B205268FBA65393EB217BD00BF9C3F694F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:55.400{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:57.100{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0972DA0A7DECEE61048EE4D0A9A1BF3F,SHA256=723755BA725194D82AE1CCEFAE4BE4F9C3D3F7D7421B47D0680478D266021E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:58.968{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96899664486DDDCC38C74D9549D3F7BF,SHA256=7897E47F068B6F45D9204783C56BDF55BED65D75C51CBDECFB819C5D0E4CF1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.787{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A7717C007711132641A1829A541157,SHA256=1A75FB5CCC1576F09EBEA0BC1E1955E422CF03D28FEBEC52C3D616288EB75AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:56.784{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.428{D371C250-6B0A-6127-D703-00000000F301}33763944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.287{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.288{D371C250-6B0A-6127-D703-00000000F301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:59.972{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7716012387916D02C67AD096588229D4,SHA256=93B96D6BE83F9762295C661C7367811A42BA57B29653124873CF670F6967992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.803{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5378B7F094675D2F4C9F13422F10BD,SHA256=12E1B4E65025796B5E527BAF98751A7E11640315998F343EE2AFFA48094650F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:20:59.018{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-115MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.678{D371C250-6B0B-6127-D803-00000000F301}34643736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.521{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.522{D371C250-6B0B-6127-D803-00000000F301}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:59.475{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFCEB4D96B87B845862D6B9022B86EB2,SHA256=338A5BDA69BF256E02B1E6D24C1019A4F5E01D7480D1AEA1F61A8E76557D6E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:00.975{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC21E4406789F7BE5BDB7A3D26069C8,SHA256=E593876E195006E8F0F94094B9EDD4C412C450228F76CE9A959123830C4E7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.803{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32E8D0BA83EB8882E6BB478EFB39AA,SHA256=62BCD380BC51F41028FD8CA28D92E5D305E1641D5603F1FECAA49B525CE75FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:00.020{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:20:58.181{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.631{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6978A7AF3F552CBB874B47E6F41999BD,SHA256=05DB183136C497EF78BC351803C19275BA4F58196E8333A9E60E0CEEDBDDAB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.396{D371C250-6B0C-6127-D903-00000000F301}31962496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.193{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:00.194{D371C250-6B0C-6127-D903-00000000F301}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:01.834{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0EDE478330A3AD6B8AC76239DB7DCF,SHA256=4F85215A517A94DD55BD154A38833F87E1A22EB20EDE9E4BFDB3D058AEEB85E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.834{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7D0C17BDD4F6AF2E1C48317FFC59E8,SHA256=914BBBD67C0B58DA60DB32E5EDC0D397E289FA7892808A7BD78A099A057D51F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:02.006{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103AC0D8198EEFA861C246848CDD89E2,SHA256=63CCE123B1F33EC434907F541ADBD2C58FD18770A703C0C74B77ED33211AEC0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.099{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:02.100{D371C250-6B0E-6127-DA03-00000000F301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A033CA4F395A57F4076FAF337C347230,SHA256=3722EDDECA3472A14A79A20D50EB629E35CC88B97657BA1E2C1118827D4C31F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:03.037{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53603789D1431AF4A3767FC485D983D,SHA256=4D4C8B085563B6CFAEECA22881ACB6F53CAE33E6B8464F6F60BF95366C44C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.099{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9A43C274C34EB7C2AC534F897BA188D,SHA256=BF23578D3D235EA80CA0DFEEFA72348D07E898DB22D855869152422D30F9D555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:04.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D73549C62742237F5292F3D98BB7BD7,SHA256=457F95C9CE41F904BBBF5CE330A54442A4A6C1F9783FCCFCCA32D88BFFB2381F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:02.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:04.069{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC712102A63563AB11F3278DAECA097,SHA256=9BD16A7A5D1C137D1E746F1793118E62ED745B468665B125EB54F6B0772EFD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:05.849{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BD88BB641CD8C8F567DEFC6128BD8F,SHA256=5A7E3DD1F8B878E9ADBD05E72EA64F02FEB0E9026598FD95ADCE85A3ECADECE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:05.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8674733087D065F6DE5208CBE45C19A,SHA256=50C48440BCE6ECECCADA56031A8BFDA18F99BCA98265738AD81087A8E7AE9881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:06.881{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBD3B808960307BA8084A56B1A4AFB2,SHA256=5E30A7375D95DE31E175E5B3C232960A5DCF3C53FE7E85D18F3CBC2707836C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:06.100{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1A068E2DDDD4A3D1656F4AA92B0211,SHA256=242377844E3C15F89C39DCBE7D7161CACB0FF4F5CE16A0AD68597EBE33B0C6C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:03.197{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:07.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2885A4760C29FC3D7383C63881B5BD,SHA256=F25FEB4B86792543802899844F8BAC45FC339AF7506A37184649A7E810FFFA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:07.115{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A203688A9D4E1C9FC229514DD2637DF,SHA256=F1257405B7D62C8CD6C5A9085FB352F3EAEF3DEA40F2ED1FD73F72C82552DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:08.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3DF67CBB17C5651094A58D42B4FA86,SHA256=937E7D9B366DBC0ED767A70E3B5C68279F0231E8794F6B6AE6DCB4DA3C1DC38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:08.147{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CAF82B3F92E7EC1C7C5BCD242A7B74,SHA256=9DF1A48D64D26F274B0CE16B56BFBFBA5DC68EE4E8295564C6037A97A8F7F609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:09.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0F495F3E91ED52E62FE4F42990B2AC,SHA256=89648E5F33FFCF6545AC2E2827E7C67C6479DEF1C2E6A8142FA6CC837368FE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:09.162{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C578DD23B3892C04DC6FDBD022FAE75,SHA256=408DA5679DDF3FF76A32CB06DC03E2219D2CC3F29132CE791EC030B37789E0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:10.943{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53D346C849B99D1202922D787F3E6F4,SHA256=623D97C01B54E31884C19B9B672528123CCC4788A5026AE7FD33D94E83B036FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:08.653{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:10.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8C562DF1CA834B2129011315B5BF45,SHA256=9379F605B1096370836BFC3B4418DEA86601C00FA2402E1BE2047F7C6A383FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:11.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14931525883833BE9D6818F984EFF73,SHA256=9EF11E504DD254F07E9175EA6A4CA66A1FC3E66A6700673DA7465C0A35A2B8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.928{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.929{80A11F3A-6B17-6127-1504-00000000F201}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:11.194{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EC55B857FBB67B660B607EE6DF828E,SHA256=F1FEAA1291A17BC2A900739D5782C66A4965F2B4516016C27D59B2DF771726AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:09.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:12.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445DF820712CB62D5D865F0036FA84F7,SHA256=72DCED00B52D9C10E737BA1A8819DC48504A45F72A677F1CB3A9DC25465E8E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8C7F3C0FDF7B310003FD7BD3128556,SHA256=5EB11B8B2694869BBE3CB72666FB86B817B68D903021294330DBEEF590A40BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA69D81F13CB08FB449EEB3AD7551917,SHA256=201A987D035D23E5EAFCA9A5F3D61EB4EFB99022830EC61BAC8D50BCF7E9EEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:12.228{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011B8FA417A444ECC562403DE2EAB0D7,SHA256=FC7A22F3E726BB3A834B4B820FBBE440CE26452FAC795FAAB28BA4256EEA3C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:13.990{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB53586A98F81727CB86D8E23EB8BE,SHA256=84E835C56CC28A5ED2DEB491D85A89AC0025088D1780DDD038E8B731D444A5C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.569{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.570{80A11F3A-6B19-6127-1704-00000000F201}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.303{80A11F3A-6B19-6127-1604-00000000F201}45282708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924E7DD86B33D3D336BD2949A80E5F37,SHA256=EA11A465E4FDFF292303E4A55DCA6A1B046F67FD46C459D80D58BB2C3A283337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.069{80A11F3A-6B19-6127-1604-00000000F201}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B69C194A6631042A3787A1558BEF1,SHA256=601D430D5BE865A65AD05DAB11924C11954D118E7CE5ACDBA7EA1CD5AFDB7D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8C7F3C0FDF7B310003FD7BD3128556,SHA256=5EB11B8B2694869BBE3CB72666FB86B817B68D903021294330DBEEF590A40BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:15.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F2B68C18E0DD423FCA9C9432E9492E,SHA256=8316FC0E67C2C891756F151AAE49774E221893086A96C8BA7969489D88F822DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:15.272{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39449F74C398669174671886FD4C71C,SHA256=8402CE94FD89888E399AEF0E05F96E3A3BABF12427F8275523F495468CEC64C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:15.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD773135BFAA8BFD66D367EC7FBE3EA,SHA256=36756E9343F41A52A591C3ED623BC0123B5A77FB4052CAF7A439BD0998B17727,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.819{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.820{80A11F3A-6B1C-6127-1804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:16.334{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463DDE8A89D67E5953D0C87CC58A0EF5,SHA256=A3E8658DCF8B6CC5858DD45148A15F36E9F413FEB21D115153A0226A9AA3C656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:14.041{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:16.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DAFD503A8C01338B2613F7D56869B8,SHA256=1846D3E654DAA321AE15C6FF0C6BD1A00D7CD31F5ED032F0C0A7C018E1A735C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:13.668{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BF069CC11800D2A77BC46EEE031A272,SHA256=B665578DB8AD2F66B6F13911A2E785EF29C6F8F3AB75CF9B96ECA8F787A9A1B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.834{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.835{80A11F3A-6B1D-6127-1A04-00000000F201}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.553{80A11F3A-6B1D-6127-1904-00000000F201}3984420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.475{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CE5C4775C0AF2A7AE29FC13C2D1BFE,SHA256=A5EE983ADA1E3FAC37D75B7387907DA75126007A07B0F51493A0A5DBD77926B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:17.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6656D9B3995132A7E2347E31ACA47F89,SHA256=E6B38551BF86389D98F67A170288908C9A570E909592F2742A817EDD46314473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.350{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.334{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.335{80A11F3A-6B1D-6127-1904-00000000F201}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:17.069{80A11F3A-6B1C-6127-1804-00000000F201}2692172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000272769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.091{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58176-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:14.090{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58176-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000272830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.506{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735477DB1BCF62FFEBAE013000337A4B,SHA256=7232B62857929712668D06F261F23DD67CCA64C8F69C3F47E0EAC892F6DC34B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:18.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ED1E6BC77DB396CDA103D3CD567C0F,SHA256=89E8F3B9F0455E56ED72DFEEAB4BED6CD5025CF492A104BC263D8939BD056BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.022{80A11F3A-6B1D-6127-1A04-00000000F201}41563164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.537{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C224FD357AAD6ECA2AA90DE5C3F5F38F,SHA256=954AA7CC0C67D53B9D2555E9FC9C79D3CD09D7AACE7F5CAE36DF614253457550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:19.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3FBF12DD2D78527A63F3DF6EC3C8BC,SHA256=5ED0986B716950A8AD512F35667DBC95A896543A65C4D385AF5176D540DBF9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.506{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:19.507{80A11F3A-6B1F-6127-1B04-00000000F201}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:20.553{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E25D4C594C0A2B79406D7FF80AE4D5,SHA256=51475147B08CEF94A52D671776833B5068A9940A9C4B555242702BE51891E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:20.006{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3221C3309487D8316B5AEE822F210F6B,SHA256=6F94C4472BD1F6E97C78A8C1E81D557E51E19CA772E76F5C1EE42A0490C4CE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:20.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2783D3D8095EB29B0A4498DDDEE940,SHA256=BDD0BDB449EDBAD0DBBE6EF3FED3BDAD641A42DBE646E4B3550572D667AE69AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:21.678{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA46DFFE65DFCE82D19480DE77FE9E51,SHA256=4908C7EC61C1B09ED1DA6F537CDB79F75F4F3479340C6C56BE2E27DE0471BEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:21.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA997674DE3630C19841188817077B82,SHA256=6CB08E95929ADAD2BFA25D12854E4ECF785723A660A091175A87BFF568E57024,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:18.684{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:22.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86A6EBCBF57CBD01F36ACDD6E4D5D90,SHA256=832209A032CF09D50FF3669BC4257D5AD09986D0DD669F91D670BEC5C51069A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:20.010{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:22.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE660B12521A51B5EE7BC1CE07E430EF,SHA256=90E8402025843ACCE94C62B715CC7760F2A65D3C6E73C4906E1F98D648C3148A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:23.709{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF37F5415D0AF633BF28D8B02A9B5CAE,SHA256=91E15594AEA65BD222B447D786881FDF0712530D9D326017CDDC206C0B883CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:23.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BE69A3D426F4BA3018852DA0B1902,SHA256=21FAB36E3A90B2793E9A3043FFB7C666080FDF9B8A55EBBA6522A551E68B4690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:24.725{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E0C57920F54CEF275103B6D6A5FC0B,SHA256=E697F6103DAC9D2C30B5C8C8C12DE82A775A966B377B4001C504489FD01E695C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:24.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04119A4E6926AB4BB5269BC2254E1937,SHA256=62F8471D01E25B0660812A5C5B3B002BABD97E953BB0ADC4B12E4E1A5A947523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:25.740{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7C04ED9BD120E846A8D5DC9EF0C783,SHA256=1B0B3F9B1BD8D01DB39FA9CB4D02C35BB0B05661435CC511F09DBC9F4978C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:25.021{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837A098CAD3E655CAC76AE69C8004117,SHA256=1DDF2BC1FAE43F3B45918934477B15FD3017C2CAB892B90FDEB2636779BFE794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:26.740{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EF1984515977B006EDD34CC2060701,SHA256=35C0AF678450D8574AF235009BD8925651BA71CFA4E81967F2A2564BC720FA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:26.053{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CF16082DCE98B943D675581BD358A6,SHA256=C6DC532F0282EABB99DBA3691F4CC012291AE4D1A7271E0E6167F1A870926DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:27.756{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192B3767960FE7AE7008806B65DA8CA1,SHA256=90CC0BF8B54FB2A052B124008AE12B2C565E0B991A845E8ADDE42FF4DB4A51A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:25.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:27.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960CDE5024D32AD0126BE7E542E7044,SHA256=EC6C9AF892FE4D50BDDB6B4A24A8F7EFFE25CA38D36976D7253B778FCCB51CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:24.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:28.772{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF344D6265698A5473136C637FA087BD,SHA256=FF6B919215FBAB2A2A2420A9EC7FE10ADDD93795B6EFB3282C138E32B21E751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:28.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971C229EC25D5D181F9311537F081038,SHA256=492AB8B970103BF70560D7E35E7545C20134E24CD7E1F8F967C8ABDC8BD447E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:29.772{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F5F7758D3E7E7E077F4842441C134B,SHA256=B9856A334DF2726927E60704C02C1FDD13EAF3007696AD6DA0E709587847A68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:29.068{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FCB9CEB46E9579F10B905597AFFC46,SHA256=0E2DC45B4F8258F3E03ADD94C14063AA1D65A781970C8059F231354A00731EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:30.787{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3FE7F4790E15CE7F8BB483FA4AD983,SHA256=AB0F747AC5CED8C37DC9FA660236A54E1BBEEB763AA8DE9D2FA3ACDF6DD626A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:30.162{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C5D7432FEC090C73623E74C1ECC6CB,SHA256=B17445D7D406EFAB49E6CFC5A24C37F4CB23C4CD9C598A61C00BDFA60AD35D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:31.803{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0191E065ADF577D5B9D69088FCC6A001,SHA256=483BC64E32C75D2FF92752E8A7468DAEC505D1D04DEEFF464350157D4EF65985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:31.162{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1071C650D785767D9871E82EC411DBA6,SHA256=492111D2762B787CC8A79487AB77B3B3EA98D02D368937FBAD23C22B2C76C632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:32.818{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BAEAF5304C78BF860EB3A676545437,SHA256=0294C15EE98FC9B2706E945EFFDE19995EB530049D2FDA88396B297414E2A623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:32.178{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F81E06B11A1A3446E0782BF37F579C0,SHA256=B98D54F43E6597B0760C4B6C880E5C7085DEEDB6243307088F5CFA72A9A230BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:29.778{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:33.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22478597DCF35D9D08BD6A0AE3EC1BD,SHA256=719A8B6C8CCB1A829FE7843D14E348F641846F3499CC98BC826782CFF46A45B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:31.025{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:33.178{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6120D0D1F54F9C6EFF7794A684ED7BD6,SHA256=167843364E0C19211B019EDAA9D23ED5BA94BBC4648156C19FB49913BE2AE8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:34.850{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21AA8B082D50104722D1701E525F2AB,SHA256=299BDB37A9DDA8AF973A587A6BD2210B12CD56F83EB43D97B658F3A981466DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:34.224{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3E1186E3D077F5D5888372939088B2,SHA256=99AEF6792D7F6711FC8B5AE0939DDA06CCF0A3BE8563F3A30A2AA5617E36BE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:35.881{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D0B4DEC3E9B5A4B3965ED9F1D15B4,SHA256=F04132CCD369006371C7B4F47266184942E017B8F54D0C7FDEF3C846B01DCBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:35.240{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6346C5A83A29DE742BC649A134017AB8,SHA256=0F182E10988A698514C30D734FDFEDB7ECCF754A3CF7E5A69BDDF93E37D9A49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:36.897{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D410A6E432C964CB2532086BEF6B4B1,SHA256=410E8F55963A27F0D6F718635F095593B9A66451A09ECC17152545AEE6B600C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:36.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3302E5E93422FFC0E725E993833C6471,SHA256=9AC04BAF7BADFC7C3F18098E3F6B3390EF8C229CE16CC1ABD608ED81BA83C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:37.912{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149320F59F5ED2FD684B6CAC6447C45,SHA256=DB1E7B88B913BDB488049CB3EF82C9B77655D3F458FC01CF9A0F57DEC57D38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:37.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373775D90A04064D4EF31EBE5E8BC344,SHA256=7E1AD61E58868BF542328A9F10D936123B244E57FDD9F40AB90D2F59A6D77410,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:35.637{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:38.959{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70D776A31FB3707C9F652989A7FD21,SHA256=C8970B7E146544D4A9BEBC155E86329FF8DE5062BD3F005C5A32193953C508DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:36.182{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:38.256{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E1F698009064557C67F52DE6F3B6E2,SHA256=52E39E2AA3620D6EDA1098077FA577120A8F88CCF158062BEB549CB5D9D0651A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:39.990{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D93E570B870A1C1F8D10F4CB049801,SHA256=6FCD9ECFC2A0ADB4071D20868DA4122835788FBC2987B095E6187C5759AC6983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:39.302{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085DCD0A326A2F8A95078FA517DEAD17,SHA256=0E934BEE6E75A6180B06A0CD79750A40D5A0E9F53B3373E45B898208012511F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:40.990{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C658708C139AA43FE16E4078199DF4,SHA256=A134154BE1812B50D7347C6F391B2D825D6CF7C29464D01364776A8851A5C279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:40.302{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91B220F2FB9D6FE2204BBA01FED5272,SHA256=3E97811B00B5312DC3375AEAB0FE30656960CB6EEDD348CA455481998EE631C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE62BA56728DD10C2D2078B3EE09148,SHA256=4972255F875B17697E0D1C3CA21D105F9EFA95D93255472789E069758CF302C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.381{D371C250-4F14-6127-0B00-00000000F301}6322476C:\Windows\system32\lsass.exe{D371C250-4F14-6127-0A00-00000000F301}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000231889Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000231888Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000231887Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000231886Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseTerminatesTimeDWORD (0x61277946) 13241300x8000000000000000231885Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\T2DWORD (0x61277784) 13241300x8000000000000000231884Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\T1DWORD (0x6127723e) 13241300x8000000000000000231883Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseObtainedTimeDWORD (0x61276b36) 13241300x8000000000000000231882Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\LeaseDWORD (0x00000e10) 13241300x8000000000000000231881Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpServer10.0.1.1 13241300x8000000000000000231880Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000231879Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpIPAddress10.0.1.15 13241300x8000000000000000231878Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:42.381{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6e6e6b3-cb5d-4efa-8cb6-73e25c2d47b5}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000231877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.318{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE10D678AA76FE4EBAD5B936089E3D31,SHA256=5F1F28C1C564413B62B01E52C4BE4B51992DC5E7877643A2642AB2DC144BFE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.646{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000272867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:40.793{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.006{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67FDC1AA2F38338F877C964C04DE5E2,SHA256=57ABB0BD4410779A51240A5624A2874D9F7D0FD6913BD5667A54B423FCEF3FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.372{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98d0:a608:d80:ffff-49804-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000231899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.372{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:20e0:2601:8273:fb42win-host-944.eu-central-1.compute.internal49804-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000231898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:41.353{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000231897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.429{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C35AC6C3EA3AE1609F25F9A5E982FFA4,SHA256=A8373A35A6DC79D9DC705B0D57EBC133CC61DB33DBF04ED18EBD8D0587F367E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.386{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B709B9DA78005CBB7D75B1E89FFC4669,SHA256=BB8AB576E6EE786CE012EED18E40A027DEE7526C93257501CB1771C4E3A0B297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.385{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36823A7D6EC8254ED585348363033AD2,SHA256=1B20381ACDBF4BD1437E8D2778F14B9140D7B4F967198293932058CC4FE5CFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.384{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-116MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.319{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D8281B8882C04655F64664FB38CDAF,SHA256=5CBDBBF0CD3C66CD9FB11C4F3D9B83C276E89673E0765908CB06F2BF66F21C41,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000272882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000272881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000272880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseTerminatesTimeDWORD (0x61277947) 13241300x8000000000000000272879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T2DWORD (0x61277785) 13241300x8000000000000000272878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T1DWORD (0x6127723f) 13241300x8000000000000000272877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseObtainedTimeDWORD (0x61276b37) 13241300x8000000000000000272876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseDWORD (0x00000e10) 13241300x8000000000000000272875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpServer10.0.1.1 13241300x8000000000000000272874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000272873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpIPAddress10.0.1.14 13241300x8000000000000000272872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:43.850{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000272871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E20BA5B7965CCA577D30F03BD0C710,SHA256=8E5A51D841860CEE490746B0DB2308EB47897E679DF3534EC80336E6A4A9D72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.693{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E6B5FC54DF8D0505169126235384CB,SHA256=1494B77331E9258E85CDDEBE0D7AFCD252EA831109DD9F7534FEA3A8FAFE612D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.021{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4AA1FE863ED95F94FE65B2FE86AEF0,SHA256=EDCE47743475A986875909FBF4A1841AA251B0A0E4C1691E3F212A28A840CFD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:42.105{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000231903Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:21:44.584{D371C250-4F15-6127-1500-00000000F301}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a64-0x2b601178) 23542300x8000000000000000231902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:44.399{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:44.351{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB0A98A8C1FA519B7EE1CAAF32864BC,SHA256=5C93974D80435CAC8A31570B7D872479715969FED43E7FCD7246780561FE252F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.216{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58182-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000272887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:42.216{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58182-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 10341000x8000000000000000272886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.615{80A11F3A-4F18-6127-1600-00000000F201}12965056C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.615{80A11F3A-4F18-6127-1600-00000000F201}12965056C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.068{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653C1C98FF7FE09C13C00D5DD03B9AF0,SHA256=4A079EC4994D2C05F179D68ABFAA9E06FA71CFC797A203E376D432EE3E19658C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.093{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-944.eu-central-1.compute.internal62100-false10.0.1.14WIN-DC-39153domain 354300x8000000000000000231906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.074{D371C250-4F15-6127-1600-00000000F301}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98d0:a608:d80:ffff-62100-truea00:10e:4883:c420:415e:c3cc:cccc:cccc-53domain 23542300x8000000000000000231905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:45.398{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB5AF7CD35EF101C04ED85357CDD4C7,SHA256=608C38FA383D5CF5E61D145EC795ABF18EFDC099AEC0677B50E22840242E7AA4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000272907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000272906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000272905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\FlagsDWORD (0x00000002) 13241300x8000000000000000272904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\TtlDWORD (0x000004b0) 13241300x8000000000000000272903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentPriUpdateToIpBinary Data 13241300x8000000000000000272902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentUpdateToIpBinary Data 13241300x8000000000000000272901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\DnsServersBinary Data 13241300x8000000000000000272900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\HostAddrsBinary Data 13241300x8000000000000000272899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\PrimaryDomainNameattackrange.local 13241300x8000000000000000272898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\AdapterDomainName(Empty) 13241300x8000000000000000272897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\Hostnamewin-dc-391 10341000x8000000000000000272896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.881{80A11F3A-4F15-6127-0B00-00000000F201}632364C:\Windows\system32\lsass.exe{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000272895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:45.881{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000272894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.705{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.15WIN-HOST-94462100- 354300x8000000000000000272893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.426{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:81dc:ffff:98f0:14bb:81dc:ffff-64833-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000272892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.426{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local64833-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000272891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:43.418{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000272890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.193{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=542CB8FCF4C57C6DCC39728A9EA3265A,SHA256=025E8D4BBF4B478C3871CD2BADB297A53AFB44C2CA3FE413B470731517BF0FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.084{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECB19D429D5C70ECBDC65CB5D4B7585,SHA256=856359B2756324E76BC26F6820CD89FF62E893BA48184FC46530750C91A95DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:43.540{D371C250-4F15-6127-1500-00000000F301}1088C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000231908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:46.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BBB42B94DCF856A705D0DCBE700121,SHA256=7E771D0BCF536F455A0112837894839CA034F448B76AE65ABE3EE91FE4CB6E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.943{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E20BA5B7965CCA577D30F03BD0C710,SHA256=8E5A51D841860CEE490746B0DB2308EB47897E679DF3534EC80336E6A4A9D72A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:44.622{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local50835- 13241300x8000000000000000272919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006e03e1) 13241300x8000000000000000272917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xca59a72a) 13241300x8000000000000000272916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x2c1e0f2a) 13241300x8000000000000000272915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x8de2772a) 13241300x8000000000000000272914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006e03e1) 13241300x8000000000000000272912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xca59a72a) 13241300x8000000000000000272911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x2c1e0f2a) 13241300x8000000000000000272910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:21:46.662{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0x8de2772a) 23542300x8000000000000000272909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.100{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC17F34AC410C66E9F60469021C4D6A9,SHA256=7A265F68848DEA3FD50AE67623CD9ED36E128FE15F93F65CA707AAB1DD1CA379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:47.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE4D9BB56C10EF48663AE8B61B1E9A5,SHA256=6A50AC135697B87163C409855BAE1D32D59079BBE2DCE3ACDF19BD18C3507BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54232- 354300x8000000000000000272932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54232-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domain 354300x8000000000000000272931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.462{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54260- 354300x8000000000000000272930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.457{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63947-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.457{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63947-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000272928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.456{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local51541- 354300x8000000000000000272927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.455{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local63946-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.455{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local63946-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.453{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local51007- 354300x8000000000000000272924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.453{80A11F3A-4F17-6127-1300-00000000F201}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local51007-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.452{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58592- 23542300x8000000000000000272922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:47.115{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EA9E528B5F29D85AD427ABCDD2D63E,SHA256=DAFE8EE1EB3DC6E62C4C7F9447B25D70BFA25528C20941C5353598B56727C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:48.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F63ADC1CB033CF67A418042283F258,SHA256=DA4C2023490D1D8858D67AA8DC4A68669823E1C07890DD3E13D3013DD3E5EFF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:46.606{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000272939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.464{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local55800- 354300x8000000000000000272938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local58592-false10.0.1.14win-dc-391.attackrange.local53domain 354300x8000000000000000272937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local58592- 354300x8000000000000000272936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:81dc:ffff:98f0:14bb:81dc:ffff-58592-truea00:10e:0:0:0:0:0:0win-dc-391.attackrange.local53domain 354300x8000000000000000272935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:45.463{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51403- 23542300x8000000000000000272934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:48.131{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1206F1DA20F1C6C4586A937EE9A349E,SHA256=0687DF423AB8A20872F862265F928584E823FE0BD40403AAB660EADA2C242F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:47.232{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:49.431{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B2389C94248B475310300C64DD16D,SHA256=EF08EA32555637BF7B141D9AB6908D6575889C6AB44ED5CCC6AC0F0BFCE9997A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.615{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA646D66A7667AFCD8FE0D50BFCFCDF,SHA256=3F0896A1852B37469654DCA9A9AE9EA58ECE2C0031EB5C55ABD3EFBB35A81352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:50.446{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8D865354F4082D54E906D689D43BBC,SHA256=ED26AC56E2837B392FC878383544D2C7E4E694A8CC1EC4C9F3CD15C5B676B697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:49.168{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000272943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:50.178{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE4E86BF1DFD79CE2282D9D5FC1108,SHA256=2171BBD2B4114DC1EA89F542DE4CD51C2A0435F01E5A39C11D7DE8E866B6D0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:51.478{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C5D7F8A523F708DF83E81DAF277F5,SHA256=E082AF8505F2B2DC631CDB4CA0E11043546DF1A5112EB6DD85B4F8619461F4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:51.193{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AA64AB74092FE4C8136BA1D30F0C92,SHA256=8DDE1A3CA46E966974C2AC777C7AAFD1D2AF9F075BBD63037C0BB5AAE0547B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:52.540{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8D0173A36415872AB5C515BE096A0A,SHA256=806E7987B271B8833FD91497C74362209EF71F5D175B507CA70261346E96D957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:52.209{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A13A0B36F9483FB3418A2F3D98C3A,SHA256=7F9E5228AB1111820F1B66B8BAC7447AFCF3133072E149CB9B2199607C05A848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:53.571{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E082DA0BB78977BC6B554AE41FA69237,SHA256=6FA30FF5A8F3ACFE0D8C4812DDECC31CB238040248A4CAB4BEF594D49E67C051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:53.225{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7833955007D934F869AC6F0609EC484,SHA256=9A57DCC32BA47EDE8DE20420D19FF667FFDFB302914B6E5DCC4A8FC7F2C76992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.931{D371C250-6B42-6127-DB03-00000000F301}33842508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.728{D371C250-6B42-6127-DB03-00000000F301}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:54.618{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC6759E4B608F9D053046A388F599BE,SHA256=EEF4B61560941C5BAB10DE80D7E663990BF3052572EFDC9A1E04355B6BE32716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6289FB6D167C0A43248865E56EE83332,SHA256=C55AEAC32B16871350AB63FBDB2A17CBE95C12152F72B1FA0DAFF8CDFE822D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.522{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BE4616C4E7368624A8B3BB1A238031,SHA256=1148A25BD7AA7E3EEA19E1D99244EDA9BE94CA78A61697CAD6A058A4528A754B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:54.240{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EB16F4065FA741503DCC36C8BB4C83,SHA256=0E6756AD07636B108BFAAB740C7C76FD88A5D748B0C0558C7DD7C793A8FC0CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:51.699{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96E62F8378BC92866D1B5EBAE61C67C,SHA256=A7D69985FD28F4C420B0D55DCD84F233C482CA1B1DC2580446069051EE23B131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.871{D371C250-6B43-6127-DD03-00000000F301}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA72F7C7D3945B8ED18A51E72350F02E,SHA256=E2F38751AA22E78EFC4D18B8478622F6A21ABA54CF922B18DEA80A0FCB98BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D62EA065FDDDBDBFBF58615E5882B2,SHA256=64BA994C1A6B25566964CBA59684E3FCAC1CCF69BA6ADEB6182F7041D70DEDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:55.256{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A37ABF12A66FE88CA80FAC8AFB0449,SHA256=76DD8DB1CBD6E9C2A0E9415DE3F046AD324B8114A4FEBDC15221DBCF695EF123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.228{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.229{D371C250-6B43-6127-DC03-00000000F301}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.978{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9DBBAA5B042D9ED46B6D1D1814F5F4,SHA256=34AA6CA8AF54DCE4F72DFFBFB3A790148745B1617528DC2BE197371A52C5719F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:56.271{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01A4193665D6F260A2680FF0C3BDF4C,SHA256=A28D4F099A72B5C423E6D68ABE767032E2B26D78EABF65DC1D84E8BC230080DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.868{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96E62F8378BC92866D1B5EBAE61C67C,SHA256=A7D69985FD28F4C420B0D55DCD84F233C482CA1B1DC2580446069051EE23B131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=8D624CE153982CF24F8787FBD1E084EC,SHA256=5DFAA2E0D1592568C1704B7E77EB0FF1D4FE36E07AB6578192B6DCD8EDAD5BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=A4B12F1EAAA451C3CFFD8FBFEBFB4FB3,SHA256=83C86B6E64AF7EC1BE6A2280EF47CA74A7D8EE8290726BD8A665917E8C306D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.837{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=4631A88D418C821C99C7C839BD720FCC,SHA256=E6B8780AF462CF42B8D3C6DA261D831199774024D15C3FDD8D008128C0EB3BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:56.462{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:53.185{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:57.318{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23427E03CB12A4107B4A81E14CAAE7B1,SHA256=7E40B97EABBE61A4722CE8A6E34750E8BEAF98BE991D3F5E70A3F8C454F60A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:58.334{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87A6CAB84694D95C71E6F0FB76D967E,SHA256=C44E3100C68E1E49515B57C1CED3ED410AB1E6F526804ED2CB5E7CF62B1A44A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.337{D371C250-6B46-6127-DE03-00000000F301}29162492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.150{D371C250-6B46-6127-DE03-00000000F301}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:55.420{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B2A6BABBFC915173A09FCEA90ED4A,SHA256=805F74AF206188BAC5F5DAEA455EC2AC4C4969B092828B18B05E4148C2F02549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:59.459{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BF8F77359A276C2EB9067C4EDE50C8,SHA256=D5244267424831042EE4B1C266CDDCE4F69FB989E6C4CE7FCA993F88561E3D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.712{D371C250-6B47-6127-DF03-00000000F301}23762120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.525{D371C250-6B47-6127-DF03-00000000F301}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.306{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5208E596482CB31690355516512A97,SHA256=C025B1DD243325EE6AC42311D6B3CDF75459A04469207670D5BD91DDE2915436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:59.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD37429F1D37DBDA8F00588748714FDC,SHA256=2C8F76AE292B064DD5111C0EDB3378416287614159591C4EEA9819E8230DF9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:00.540{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-116MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:00.460{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57971975648CF434FEA05B0943423ED,SHA256=D8D55A4CBD6675D9D7E12775235D6B144A574B3ED1198B0BD6EC71E540F51D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1175189289BDF37FC0C05F4EE5447E3C,SHA256=CF8E3CC256814ECE809FDB68901BD69D38B132AEF0E1C80B76D8CEB9CC10CB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.353{D371C250-6B48-6127-E003-00000000F301}25003484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.196{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.197{D371C250-6B48-6127-E003-00000000F301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:00.040{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B806FBCA9358E871CE6B3F1BA75BBBD5,SHA256=BFC669C5EF859CF0CAFC76C4B096DCA37E4005A9AC9E3829DAC1C1C67D2D1A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:21:57.668{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:01.555{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:01.538{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FA52955AA96D438413ED7B89174B13,SHA256=693D0ABCC85AAC82FC5CDBF7E1075C842FE3677E73BD613F91522CFB86DFB2F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:21:58.216{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:01.056{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA876070CF7162322C8395DC29393186,SHA256=8E755B2AF6637C20818AA75F4B56C281FF11C701B21504928BF49BEB15379D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:02.556{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CED4D2597D7C2DB50CD2DDA5A241EB7,SHA256=530A8F1B9613D61C01D73222C3A82C56B182A71A9C451C3D5A6573F031F7651F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.103{D371C250-6B4A-6127-E103-00000000F301}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:02.071{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F93FA93E4982783F2884AD895120D8E,SHA256=799642DDC6498453E82CB74EC922C348B2D07C279912A3BD23FE1E2BAF16C3CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:03.932{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a64-0x36e86702) 23542300x8000000000000000272963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:03.588{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7D4E520DB2FD53ED63819430AF788,SHA256=3B8B0B8170F9CB0F402792A9C1ABBB6EEE5BE1001A24D187EA64DE3800DAB0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:03.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8734A263125188BE727E44B4B82C03E,SHA256=70556A8BE5F7EEE06F8D7A0F3CC59B0CE4A2795A9BD30EC4F204BD4BEC8A271E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:03.087{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA9D4A9390AEBBC54B4BAD6E906277E,SHA256=FE2ED45FCFCC6E51B7B3B80D4DE50E9478A7202310C74028E11BA20E03DFB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:04.651{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2B1D27437924E6995E2C3D03CA3D6,SHA256=4D65B93AA8DE8CABBD9207D38AFB69123A17E45A1581D48F54E888C6B6355AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:04.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70F824C3ADBE41411817D9224BD0CDC,SHA256=84381A9C6B1A62003F0A71EC96E683CF5F043E18180F420F89E3A45EDC8E5B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:05.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929B7B457310EFDAC4C8798E4449DD13,SHA256=86E82169A490016CF3AD37A1DC5320002946341E5ECC4D78496B17674A421AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:05.103{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2EC4CEA934A38585BD7FE57E3E0BC4,SHA256=78630E14E0E88ABB3A028BEB80AC284A6E512B74A0627C4421F6E9037B25F945,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:03.484{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x8000000000000000272966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:02.812{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000272969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:06.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FB6AA854E1DE2F8DF002172D31E896,SHA256=042847F8D40364D7A8BFE4668B9925C09899D037E2D5D6678C350ABDC78FE132,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:04.029{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:06.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E4BB6BAB2AE8811BD1C797ECAFC282,SHA256=EBBC9DFCCED4B0DF32547AC8DB77DCC5E443CAFCD675CD92ECAAFEAFF7ECAB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:07.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70217EB5E73996944B54C542D1A8BC4A,SHA256=A21AEE9764F0E1B37388CC95EA0B2F2CF5A8963262CB35E83134E2DC59B54B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:07.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6B1E90B20B8089540C3BA5466C42EC,SHA256=8F436A1495322B77EC2D98D95D2A9DF136DCAC71FD59665115285AA2FAD56CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:08.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F70AF3E117E443EF4EE005D716B7E6,SHA256=D40DEC8BE413DFCBF99A35CEBCF3F21EB16C60C9EE2EF3EA93687B9E47599C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:08.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9EF947362482795FD08625D851A5DD,SHA256=BAEE7270D990FE26D81CCA2EFE10321FCF8FDAEB40BAB95E9BEDB0B4253D8672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:09.807{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EADD9432F2D7F47D0D221945756914,SHA256=753C8A19E6945BEF2B3A99F69A15750CA6A7707501961E463C9773FAE45605AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:09.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA29B23CD985B67B029211180589E366,SHA256=4D2AC759358D750A219F803E91C7D8B8DA0F3EAF5EEB69722B0B1C9A059762E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:10.823{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5ABD81C873BB4321A981F0FB36515E,SHA256=3FF659B71407AEB90E98AFAF0F62DCD03BB224ED0A0BF5F858AB892014DA51A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:10.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4499CB49E03E599756CFAF27239995,SHA256=A13A55563EDE6FEA6F88786FC975A5D08BE7D5DE901D4F743E6D37A100B69BE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:08.657{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.901{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.902{80A11F3A-6B53-6127-1C04-00000000F201}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:11.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C145D13AA0AFB59B7B86D45D0B1032,SHA256=44E1B629339AF78AEEBE1698C61277081ADFC228A0348DB1FC28AF102CCF2AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:09.170{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:11.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E45D04596F746AE5485B9E076C5C3C1,SHA256=7F537F828F4C09C40943EA7083FB4F5E476FF792D31AF48BE97625FA65035588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:12.854{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910527D7701B19BCE8E00FC976D62F7,SHA256=B7E0A0A5799002978244D55323349635012D886B1B86F400E50F63865DFCAB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:12.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7274A0D6AD1E1B8927DE0197F36109,SHA256=EB909D6650F10F2A45C8956DEA91879F83489D2E0FACC3E01B0CFD154B59AC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.869{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34FDAE46585ACF00CCDA82233DDA342,SHA256=1AFAB3F66ADCA8CAB14388A05E6194782FC29283BDE6CDF2698C6971C6BA7940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:13.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330563D99BFCFFEEAA8204D10115CCA1,SHA256=F3215E2948151032AD5B85403BD7BF5DBCE83B8C6B1C44323F7C3FC4F09F89BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.822{80A11F3A-6B55-6127-1E04-00000000F201}34924516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.541{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.543{80A11F3A-6B55-6127-1E04-00000000F201}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE65CBA7CF88B7CD6DD9F6653F3CD24,SHA256=41BD3DEFEE518E51E1A105DDEA3B36B21CE99FBDB4DE110F8153CC916DFE515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6289FB6D167C0A43248865E56EE83332,SHA256=C55AEAC32B16871350AB63FBDB2A17CBE95C12152F72B1FA0DAFF8CDFE822D3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000272986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.041{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000272985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:13.043{80A11F3A-6B55-6127-1D04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.885{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D5DD6CA1B6355515844B4442281942,SHA256=C607F8AD9866447F1ED1748BDB2588CCDCECEDFC613AAC824DEDA3D12A65B181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:14.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29020CCD42BB401F945DBEF76C8104B3,SHA256=94DC544A6B3FF229CF4DC058B5A6B0DCDF4BAB300810E82E9725F200FB4F1E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.572{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE65CBA7CF88B7CD6DD9F6653F3CD24,SHA256=41BD3DEFEE518E51E1A105DDEA3B36B21CE99FBDB4DE110F8153CC916DFE515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:15.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC8710D110B0C446CFCBBCEE9A39E45,SHA256=E1DF098B8AA569BC7E272CB9C9856AD7C9384E1B441F1529D3B13D78F3E0F402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:15.181{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69A50518A5F4282D5173DB5CB2542F9,SHA256=ABB5D0837EED4AC55C74EE765FAE4C914CEA1E7CB693F9D3A77F74AE43881961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDEE9A5779053F56C65C29E12DC1AC0,SHA256=AFBE713D58F056A8E92E9584242E6811B57AA813F62678C77DFB949EF3B859D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:16.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3DD3A8A97560D1F7E1A6497784747A,SHA256=160F0119975A15156004C2B4AE0EE6765CE6256B214662D7630FDC7B623FDB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.822{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:16.823{80A11F3A-6B58-6127-1F04-00000000F201}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.094{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63954-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.094{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63954-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000273038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.995{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B629A27E52BD7D69EB1CFC0A38C12B,SHA256=D3D761B1AA3E94B03272295D8189EF97E9997D4DEB20DC6F68F780B79E23A737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:15.201{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:17.212{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CC7C7C3114EF666368EF1CC7EF99C5,SHA256=939A9CDE1FDCFF701C1154FA406F6F399FB1443650C68C0075F0F819EB57EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B72A54C547401121018ED5418735B6E,SHA256=EB8D6230E8540D4A64B846072E9FA1DF4799CC245E632E6061D52C4F7BEC3298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.729{80A11F3A-6B59-6127-2004-00000000F201}11204756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000273028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:14.688{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.494{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.495{80A11F3A-6B59-6127-2004-00000000F201}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.072{80A11F3A-6B58-6127-1F04-00000000F201}21483288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:18.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39194404CB3D8BF5138452374DD39AA,SHA256=CEEA370A8081980ECB82F87A3C501536484BC79A65409810F7E4D2A142EAB7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:18.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B0DE3728626D762116C44CCF55F063,SHA256=FBA1A3A8CB08EC15359B4FB26F57BACC825432DD8DFBC961FFDDF35732192792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:18.213{80A11F3A-6B59-6127-2104-00000000F201}47601160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:17.994{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B59-6127-2104-00000000F201}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9643F59F89E8DC463C954C4022A783C,SHA256=15AC1D2D49A15AAD47836A6BB76EA0D2B0AAD9AFAB67280DBCD86300646BBBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:19.228{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473AE3B07262FF244DBB453E7929B372,SHA256=5AE10A374D897B635A5055A3D5AF2991AB75574116EC5FECF8650E4C3FE4B9FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.510{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.511{80A11F3A-6B5B-6127-2204-00000000F201}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5831A0D89F105405CA1A1DC60D40456,SHA256=0FDBC0AD383DFBA003BF1E3A3FAAC0DE6FE669A6D1D816DD6780B1B200FD9571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:20.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C349F8AB365B54A6451ED9CE9E28A91,SHA256=15FE415C0370DB763DFAEE9FC83B7E4B1480A736956E4B3FFE5421F578F81421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:20.243{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C685DE540E93CE6E2C3AFEF445EEEDA3,SHA256=9267F80492B63F0CA427AE83043808E281A73DB821E93667EB0801DC84C69AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:20.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF94074FC35A38F440EB87CBCD643D0,SHA256=375F68F967CFA345DB93DBB79F4D73394621650B36D76239D25177941F709D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:21.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D523DD9DDBBB3781887DB30CE58C336,SHA256=85C751B3813A27B35BC2709EA3A1D773A109E66B29903F0DA2D16DF81523A5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:21.259{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D417E9CCA3E3EA713B02387D8C17E66,SHA256=A02A47452AF42119F839D34406571B326133BA99909213C88787FD40A320A4ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:19.719{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:22.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6587E6219A5A6C4649F1D70425ED55A1,SHA256=1E5C9C2A1C77E188E712571B3968D323BF54F6A1BE733ACC635B8D88CD640705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:22.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16D0B55332638A3B14C57EC442B9D2D,SHA256=DF8C1ECB1BD25ABB04AE4FC6AC4147D88BE598DAE455488A8B3397199EE6A2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:23.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E249EF0D23D17DBF6652015CB953744,SHA256=D3A4F990E7B183FF4691E11300292ED72D92D8FD65CD194A79856AC01623DA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:23.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C318FD257F6EF907D59AD5CCE617C5,SHA256=357E165BE39A5F243A1EC8819F3C81901560ECA1D27285826789F33AE22AD2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:21.217{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:24.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D669F282DB40CB5F838C1A3C02CA094,SHA256=1614DA742A1CF2646145CAE0AFA5B03A657C1FF7C2DFD4F52482D83DB32C75C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:25.274{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEB527A93BF7E36FE3D6D96E22FBBE5,SHA256=280C10A8FCD084A8FFA0380038A29ED69D22D0F075336D2C2691ECCE6D115191,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.066{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63957-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000273059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.065{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63957-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x8000000000000000273058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:25.025{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B3E5B0B67ADEF8691126A00A91FC37,SHA256=49B5250FA42E67B8FEE497C3FE693496B7640906EB993D3170AC1AE3A85356E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:26.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBCB0BE2051D0144BC8B7F34E4E924A,SHA256=3D9589CE29D442B4A383D6946F409E40B072CACEF31AA707D7FDFA68CD923AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:24.813{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:26.041{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0756A09B40C32333A1AFFDF6C25F878,SHA256=5506F945DBF64E4FA6DBC482EF5F937310AFE7C696F16593FEEC1D5AB8221DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED44F04BA8384C2F9F298AC716FF6A0D,SHA256=99EA93A09D9FCF658849F7970A633F4CB7B5B4E8892947EDC9896C0DAAEE80A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:27.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43563261DDB87A17FB6A2844E219E87,SHA256=A38C183D460B26B189F6D167B1038FE3F12B783C86B17FF4391078B681E6D8F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:28.400{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000273064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:28.088{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE85C2BE4BC66AEE928E8790D3FFFC64,SHA256=707B26CD25C0424D10580D5320B3508A59F5321CF25BFE384459EBACF2B9E524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:28.337{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B48F22ECC814D5F3399852C6D9C1A,SHA256=3582500A8DF41BDF7E254B08FB666B1C5EECC47B372235C68C14ACC26327279F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:27.123{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:29.353{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7568AFAB5D3866F7319E16313E072DC,SHA256=44A0E499BAE627B8F2DA8E5A1B8FE27CB08B974BEECB6CAD357D26E32A4F0C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.887{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local63962-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.887{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63962-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000273077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63961-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63961-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63960-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x8000000000000000273074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.863{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63960-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x8000000000000000273073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.862{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63959-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:27.862{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63959-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 13241300x8000000000000000273071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.525{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000273070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.510{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000273069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:22:29.510{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 23542300x8000000000000000273068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.338{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B6AA793E9DD16C1926104FE12C26B9,SHA256=6E5DCF3E14F452AF89C175418B1D8C4C7C6D9C593F3726CF5F3BC1578662CBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.338{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351756EAA6E884DB9A6FA62275A657FE,SHA256=2DDA2B20DD144E88F1388DD38CF8277ADD8CE63330FA7263FBCE40B21DF8AEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.135{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55BB7A38BD3E3FDB1643E6E18BD49C9,SHA256=5CE945E1CC141AB6A40F6E119DE65D60A22D8738FEBB860829D5A0692193AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:30.462{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5244CC5F9636E4F07C9F3B95D9B1D6,SHA256=DEA862E8E4BCA1A8CF8E93EF95A8D62890D6F791A33112AD1C5A25532A400AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.105{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63965-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.105{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63965-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.096{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63964-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.096{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63964-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000273083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.080{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63963-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000273082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:29.080{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local63963-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x8000000000000000273081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B6AA793E9DD16C1926104FE12C26B9,SHA256=6E5DCF3E14F452AF89C175418B1D8C4C7C6D9C593F3726CF5F3BC1578662CBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.150{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ECC1C1F927C93EC63FCC91FE4B47A6,SHA256=E82CB41D0E5EC506306267F7AD31688A98A123E052D8F53F66B1FC20879F7636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:31.509{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB21FEA42A62123817AEE9FAD507E4F8,SHA256=6D396F09A4A83AF2E19B8D368500C40FC8CDC4BA7990517D932F4FDD6383E80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:31.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E32BEC0B97E0FD457857CD6EF87D01,SHA256=637126646767FF9BCE9352A11EC960DAD4C16E3399DB9507C480F9E2DFDB6CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:32.524{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD1BCF060995283F38A11767C83A701,SHA256=A017CA6E0C8A95F9F54F9D3299EBAC47E95BFF66796824047057D4BB44E8469F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:30.782{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:32.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD9DB793B26860D265FCF3DD916C419,SHA256=68FE65B5187D93A86A4728DE6F0552C843E40977F452552DE4B1A8F69EE34119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:33.556{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57360BFB0AE12DA165F7B96FC58DCAAC,SHA256=0541788A743F13718720DFD39A141198B17F2DAD4B06FD026A44F1725D04C2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:33.213{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B7FE9EAAE26281FB65F9F00FBA2260,SHA256=551A02B8A06EB7F2CBC7D21337EBB7099505F624BA537B1B1C2DB0C9065772EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:34.571{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB236A65C45DA0098DFCAE14A7FA8914,SHA256=C01EA455D345A10D8BBC4A9399E87614E7DC6B44FFF427FB3D998B99EF62962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:34.322{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA2406A8FFDAAEE856E7A4CB4EE46EE,SHA256=005D03F290873A1582775AFEAD40F77415867DF97B73C1094F1DCD7EA56DCA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:35.587{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3132E908A0816BDB22E0BE1DA33ACA3B,SHA256=70B89136A2B4852D55AD6C1553EF70FDA548ED3F40366AB6A4852D148E9BAECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:35.353{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112F8CC640BF3E267C8E4B1C422119BA,SHA256=0F2E33F674995E2000E6D2A31B447445FADD4E5D67C310F0CF091F456E7201EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:36.602{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D939ACF2BD51DF776D57593D495265,SHA256=D7C8C9CC6DEAA8BE3EBAAE64C8B882C88759AE7E55FD02D6D2302D31629B4F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:36.369{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2544CC4DBD672C021476170BB9FF35,SHA256=4B9B52A47B3DE8669CC64C6EA022CF5F3C8446D52839846F92E150FAAE90F3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:33.154{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:37.618{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB7123BB64C61529C1C78281A9D3EE3,SHA256=7EDA92DDEA247D723997DC486F67A083CEC3B66EB8BC354FB3B18496F12F28FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:37.385{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804F14FE7CC7AD909CFACB260406A3B0,SHA256=0DB0888CF60C3E3CDBAFAE98C2CEA191A245180B8EB86388699678CE9A67E384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:38.665{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743BFE9C51D8A009588A4F72FFBD302,SHA256=6895291FE6FD7671DD20AAD8A466440AF4A4225A4911DFA86784D3F68193EF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:38.432{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB37EFF4E1D728DDFC20A1723C850394,SHA256=33E6A59A49E96EE02C69F19DB1D5F2F288395855458EFE59B0A323A4A8EA491C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:39.712{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185E2A33F59D9B9C928A21E95D093B10,SHA256=FAD8BBA0E10681B2FB4D019CBABEB0E3E2B7031C0E0B5754D7D58106C5547A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:39.447{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448B2FF9D470DBA3CF6AE98D89469DAA,SHA256=646F68CAF36F879F985ECDAC078A15A8A44CFE00BCE9D7716AB8044EFD9A6368,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:36.782{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:40.727{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C827F904F5E01B0FE1581E48E722F7CD,SHA256=B15BB316E7D2A9545AEEB1184D26D0AD421F53A78A87C349DF0B4A964DF65603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:40.463{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827BD5A2F58042FD42CFAB194FC5EB95,SHA256=A4CCAD86A53AFD5D2B2850D679BC3FB483CF99621C25B8821C8BEF892BE01DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:41.743{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE58CCD7E17F8E64E11884DDCF11A96,SHA256=9B7DF9113BA91782CA0DA639A1BA2860C7157B0601C20C7CF3DE58483013571B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:41.494{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF315E71A5D05E2B264BCE5EACE8576,SHA256=B9200D4028A46020A0A88C2989E01B8BF2176A1170347380CF6F3892B1D62FE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:38.186{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:42.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21834AF56C3455DB21612EC7E04C2EDE,SHA256=D4F60FFD6C506CA29DFE791ECC28B4D8B1E98DB5A3D5C7CF72D526F795B6DF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33139854D55DF5777E9557B009A1104,SHA256=D37A212EF50653B0155F24D27760E109ADE3ACD50761674BD28DFD584C28095C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5C865B1AB2965480E3DCC9C0422188,SHA256=408A65889AEA55EC1D6D50DB9E80DAE9C6B1031E003561CBD45C22FE5CBD7E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0042EDC196ABA8110AFB913764873A9B,SHA256=227098FAB1513CA9D892B46EFB698F771B5AB752CD7387ECE591600BC288F613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:43.759{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E775EE23A1C01CD6173AFBB359D9DE9,SHA256=2BFE89F1126C895CEF384E74267EC0AE56CC9EF3DDAA599E8313F5E1AE1C9532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:43.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5625CD4A8AD57D550EFC8F90280457,SHA256=F6AD9EBBA3E6D7AA89A354CFE9AE00EF49D693B3AF7EB4AEDD0B1F296CB4CEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:43.431{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6463967EA8048CBE5826E1877925C0F0,SHA256=F5FCE3D66F1223468BA9403FB139E4E9ECB5EA0CEBB3E5F7EC47B3470C83A264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.918{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-117MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.774{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02987CB7F5BB232E257EDD6C75C4285A,SHA256=C0CB801ED92ED49EE5394184A8A066EE69D446657161BC8CE27958E0583DD62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:44.541{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFFBB33C204064E479E5657F64ACED1,SHA256=9CD6CB469ADFB326C964290B85F6202D380B411E9183CA9BAA892BBED0699909,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:42.672{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:45.603{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6A4C5B86A3DE25DC09B259C8DC032,SHA256=87745045D4ABDDAF11FF4D901E35799B7FB3A03DD4A7C9B7C4BB74A5458265F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:45.919{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:45.777{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEFCAF03D1CD3BBE707D23FA26B2E37,SHA256=9EE536BDD21BEB5FFE3BD7A65CB0A31D2D1B20F6448A348C8E626C7B1545F179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:45.197{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A6F47513ADE3B87FAE75A3D1E3D868C,SHA256=83EC9DB0B25810CFD04DFB63A8CB15077020A8E31F0A6BF76183859F3C281ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:46.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0499AF8FF568213A1F1E101731166472,SHA256=B2DDBC05926A065802FACE707260D2747B04877EC6479C41EBEEABCE1A3FE1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:46.635{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5E1DC49A0CCAEE301ED2E7572A9052,SHA256=FE3813D120C4EB0C4AAC5B3A8538A6EA48103C8D075F95BFC2A84263C5076033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:44.032{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:47.808{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DD547C0FF404D08437B888D0EE8C32,SHA256=22050206CC158C4F7D30005CCCA94033D21B64B62AE78D1B829956E2B11AA830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:47.681{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560D29662BA0A408AC26E932A159B30D,SHA256=C4EB94B1A9336D36E33345F4BFD8F9B53D457FEED986E5091E93026E8A2488FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:48.824{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AE77C390D0663A4783D6AEEE89ECEE,SHA256=5F7F65023AA3C68BF0CE89BCFECA0651154E046CCB90E7A3F45D284740B046B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:48.697{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3727973CCE4975C925B75473C3B3E1CA,SHA256=8B79EBE536521CFFEB2D6D23A62A2DF386C5A78A08A22FAEFABEC33A8C504DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:49.855{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675B80F702F348ADBB039FA591CE471,SHA256=CDDBC7E705697A8438FE1E10B85BE8D21A795DE56A71018D53494A11E300AF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.775{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E0B50E756477B6B08FBE2636EAFAA6,SHA256=C19AC3A212CAF5B053509D3DA2B8774DFDE01B1FE94E81BFECA98A3EEAC3F183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=2F44DB78F64AF550704C783225FCDC95,SHA256=FA19D38A31D92B0BCAE20133607437606C0448629A772630D001C23E3FCCD605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=8F0F4092CC08A060BA0EB9E30E7075B6,SHA256=808D1DC5483D313720A721A0C0571166006D018A9260DE5BA02BBF3160013764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.728{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=3E62E66291B8F0BFF730D540016B4804,SHA256=9BA8E6F5F16794598E903028BDE74E77D0630522268C5AC34E6A7A7943AF46B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.635{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:47.719{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:50.791{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F242A33812A769A64651513042B6369,SHA256=7097748F08D60D407C36059ED33D0DB46BAD9340D7B378390380139CCF79E0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:50.870{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B068E18DE0F2E86314DD265542F80CF,SHA256=1D5C0AB75DB285F5EA54D9F2C0933DB5D60CECF366C443E4B4EF61334E7BE264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:51.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90498398C6CE578890782AFBD8BC5E2E,SHA256=3F1584C5FA3DF458228253C55755C3DCEF989AC04D4838C875BEAEA2FD476B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:51.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F2321B6527FE3ED6ED2E3CF9DF5392,SHA256=2F7921C781139C2566725764EC5FE5C965B430D1E1B07B49D1CCF60DCD41F0D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:49.188{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000232093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:49.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:52.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A335B859867454194CE9560A0A84968E,SHA256=54D0384579A88BC25E361CF39F71A107174EA03A02441DCCE6E3F7AA34C60C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:52.916{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C46D9204EEF7D939712A502BBC41348,SHA256=3A2883F817474D97F438EC1C3993AC911DC6A4E8A31DECF5BC6CC5A10CACED77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:53.931{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D9141D9F852EE78B2384AA58E70156,SHA256=AFD92D03FEE653DAA54D76CDD71AEE0A482F34DBFE7B95BADFAC874D5155A7F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:53.213{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F82-6127-8600-00000000F201}2084C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:54.931{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A51BA7CD59A028C57146868557EABD7,SHA256=7388491C4A6E86DEAD7194EAEA30270FB867F98A4CC41DA1C3E2B48C208508C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.714{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.715{D371C250-6B7E-6127-E203-00000000F301}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:54.042{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FEDDF92B72BE78529274610163F01D,SHA256=CCFC256D465CF6E413F0D0CFFDB0FB79A81FC6468BD2767D304282CDE99BC79F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:54.853{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000273124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:52.797{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:55.947{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC6A3FA62ADBC56025D9137CD16152A,SHA256=4B5DCC10D691754C33DA87C93BDAD84526B712F4B921E0931829E8881EB5A669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C056B3F57CD2A4A0A3C0B92D39B945,SHA256=72D9990570BE27C3E3B0D77C28D6FAA39ECF5284FE0A1B45F57DC5966B5829E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=523C59D0F19F2BD75DF347FB938D6A31,SHA256=D3D7017CE4D107BFB583D737A4468D4BA641D55C40A7B1411B8863A840E5397B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.386{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.387{D371C250-6B7F-6127-E303-00000000F301}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.073{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530437FB07C528676980B291EC148889,SHA256=91EE023C5A0A035A45B8269F75C0184B77A620C6D097E51F253C5856A20AD906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:56.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAA05D97E4343C89ED1DE170803C0DD,SHA256=ACDA2C8D7BB385D9E91E8A1662E8FA22B0F7B694D5BCA31642ECE7115074A019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.480{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.214{D371C250-6B80-6127-E403-00000000F301}2340736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.120{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844F7732F9BFC53EC31E55B6A337F8ED,SHA256=86BD44C0D5863D8784C0E27B7D7C195585948EFF4E2B6FCADC8C1E7BC7BD14AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.058{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:56.059{D371C250-6B80-6127-E403-00000000F301}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.438{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000232144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:55.204{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:57.167{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8CD76528D93904F94C5575013FF225,SHA256=3A5D453D1E3B69A5C1AFB71B6D1E67590CFCA730EF3B3F501AFE78B678CBC2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:57.058{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C056B3F57CD2A4A0A3C0B92D39B945,SHA256=72D9990570BE27C3E3B0D77C28D6FAA39ECF5284FE0A1B45F57DC5966B5829E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.340{D371C250-6B82-6127-E503-00000000F301}32481012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.214{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FD23C70915CE7D00CBA7FF21EDF828,SHA256=A81ED577668ACBCD0BCE95596D7409A297E387244E13E7648C7653371E440BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:58.009{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E66E75B881C6BBED9005E9FBF314218,SHA256=809F779DE9586A0190DD48DADC93CDF960E7EA385D73B5B676E866B748AD4C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:58.152{D371C250-6B82-6127-E503-00000000F301}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000232176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.698{D371C250-6B83-6127-E603-00000000F301}4092580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.527{D371C250-6B83-6127-E603-00000000F301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.230{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B979A6606C64B1EDD831038CD310B60,SHA256=E4C3288F3D01701764F0C2F147890B9FF00466D25A1B7EDB43BE96730E1C51A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:59.056{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2923BEFEDD2200F0DE7A42213642C2B4,SHA256=DE06DC0D0CC4022118A8B499685FE4B5CCF90BFC6773731F88264AC62228173A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:22:59.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2F6548A85023919602370CE80696328,SHA256=0AA0B51982F25475598935010F99532735A7AB47F96E5BEC5D850CEACA471591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCDD2A0D013AA4901D0B445848658FDD,SHA256=5B6557FB5EA065EACCB520CFCD37110263E9B4D22235E918DB9DFFA59B8AF142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11864B2072331D9EDF9F31D150905B6,SHA256=26F6DA392CFD65F2D028FF6D3E7DABE4696E881EDDAACADFAE1AF0DA3CD65B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.370{D371C250-6B84-6127-E703-00000000F301}6562284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:00.072{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F4A8183E61E86CA1C35BD914F77D86,SHA256=A28CFD9010BE69CC34B822857305656F85D7080A2D4715AEC27B79A5B3A1F3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.198{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:00.199{D371C250-6B84-6127-E703-00000000F301}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:01.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B069B908256E5321E77342237012DF,SHA256=AD055BE039AB34DA9CC142CF75F922917D8469C1E3ABD4A8CD1A2FAE17F59286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:01.088{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA64CBE8BEE54ED66DBA52CBCA23534B,SHA256=8264E393D272737AA0197419BB5EF71CCD82380F59FF8EBAF73A9FE056D1B773,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:22:58.704{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F0B38DBF73FDA4FB76C11EC7D1399B,SHA256=E892BC48C9058C31F1D24D6FA0F24B8AA89058E514B9FEF26AAAD807B8A3E60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:02.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6FD842DB119EE91125B0B007F996D8,SHA256=BF42256C863F9DFF942BB15C8AE6D8E0F34E0F02E441B801FCFB8405A0B67863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F15-6127-0C00-00000000F301}7242788C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.089{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:02.090{D371C250-6B86-6127-E803-00000000F301}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:02.075{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-117MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:01.079{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:03.433{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0E2D088EF85338DF6CA3E9C3C3497C,SHA256=818D08A46C8BCD55C1AC06CEE37A251DA6BF522C4FF141B123D6884D36868CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:03.092{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7F97CB6D21A8C269834431943C62A0,SHA256=BDD0F551646AF09630B47E033BB1CDF9CF97AF176B6A0C0185DB641F3C1C9045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:03.105{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B71368BBBE6FDA3088953046D06F18,SHA256=25D32CB67C87F9B78AD822C60A9267BCF11EBBAA984FD4563E54EBD9ADAE8161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:03.090{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:04.448{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AADE5DD9BC5585500A6413CF80C9BA0,SHA256=771ACAADA7B1CBD86ED284B52E55CDFDA133C47B1D83BA646B46B102FDA1900F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:04.105{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB2B1DA4B14F88384A3B62C16FE8854,SHA256=D0200CE07899FFDFF9A9C760F982180FDE690EE9344AA3F00BDCE878734236AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:05.449{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E141715BBC6CE42CD861CEF3E767A8,SHA256=23C069D43FFEDA9D534884E168F327B5FB1C08BCBBEFE31AB02BBA604F1F011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:05.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415F74C8AEE3AB2727C653F8CC9B786F,SHA256=035736FAF77DB75A30F39BA89F6F99A47EA38584B88A0484BF2C24D3798EC550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:06.464{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE0783BDD7F223EBC74045F836FD9BB,SHA256=87D696AD76D5F716C946415EA4A5C4C771CC0B4C0AB945DA5B323FB7298861B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:06.198{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A0E7D4376166197EB5B069A1757A4C,SHA256=18C7B7C1557CDFC83EEDC844C2594E7F1141818A9D166EA17DDA796094D79FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:07.464{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125246500AD978FDF38594A99441199A,SHA256=DCE97D09BC6C89ABC6404A3FC882FDE059C9E032C442CEA11AE26DCA3F29817F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:04.689{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:07.214{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3C4B98E79D44BB3A40F79219E06E4C,SHA256=44688C20A26B2C216C8D9E87A0CDDB65F04D753EF9B92D70BB34F01A02E37254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:08.527{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06687A120A82DE4F9CB5653087EDE279,SHA256=64D5E98C2432D731C075FEDAD59066239274719C1D7C29BBB6E41A2103E4F92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:08.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2E3271FB593BEE1817B906CEE523A,SHA256=B4AD61EFCFE9E100819A4A3BDBA35267A401B0AFB4D3CFC71427B5475BF1362F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:09.573{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FE6A823B7DCCAF5266B1D393C07991,SHA256=EEE060954C5C1C56742A2D8FF8E6A5BAB11DE045A653DEA052422515AA68EAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:09.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51747643060DE607DD221F5F3C198369,SHA256=E8F79FC074EF130D346DBE92DC506D6AE4E78659E871B1D4213E492863C800DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:06.126{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:10.620{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F038DAF347474CFBA4518068A4585C,SHA256=772A40427718962A325A4F7A10B97590302EB2B4562949CE6EC743EE8F34D498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:10.245{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A0E63FBBBE7A38A975A636003A7B49,SHA256=1481B0005EBF031A0F6CEA445182345AB07225C8C251F0DEBF6A640C81130EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:11.636{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB5E3DBDFEDC411F2089F6FFE2F280D,SHA256=ED472825701C8477712FF947CF6271E14B665363A31CA98ED7D87D26B5E16A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.901{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.902{80A11F3A-6B8F-6127-2304-00000000F201}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:11.261{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3319ADA6E7FA0831D75EBBC08DDA1AD3,SHA256=70A0C2CF89B05F391F6EDDF06562DB8441F47939C43E94386CD592FC26BDF71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:12.652{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8235FF55737717203FD673C090F87AC7,SHA256=1780EFF9E97B911DFD560B029EB6EB6350239278B3C460313EC2F371A4473BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEACE505E6C3E3C3105E133245E031A,SHA256=7F2B9788298F23E8538DDA5DA7F9E87F4448BF51EF03FE3B1534E25B0766D7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.933{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5C865B1AB2965480E3DCC9C0422188,SHA256=408A65889AEA55EC1D6D50DB9E80DAE9C6B1031E003561CBD45C22FE5CBD7E41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:10.627{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:12.292{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA5087ED27C02272423A697E28BDC5F,SHA256=554F1815DE503329AB54E4DC79054E22821B43D0D9A2D30718979A55924582D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:13.652{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1F9D1434A79ACDAE27639B234472ED,SHA256=55EE4CC34DA14501EE32A13390EA5D59C29A459DAEE7ACEF573840505CEF4293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.964{80A11F3A-6B91-6127-2504-00000000F201}46922388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.730{80A11F3A-6B91-6127-2504-00000000F201}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.323{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB250AE154BCD96701EDDA004DD4B58F,SHA256=87B1CDC3FA921F60C03C8C20C60141CF29F43A08AF4469855266DD99D8E6F0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:13.058{80A11F3A-6B91-6127-2404-00000000F201}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:14.667{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E058C348DBDF364D5C04629A1F91CC4,SHA256=449B656FCF40F64CB338FAF94893F4F83F966BEBF1E066FA29687E35C11877C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0387AA0E71C8A91996DE071411898726,SHA256=C5B920DB9124E3EB5B06FC6A4AF82E52D5B2B9F1EE2DD5A4EF9D018F6B9004AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:11.172{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.120{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEACE505E6C3E3C3105E133245E031A,SHA256=7F2B9788298F23E8538DDA5DA7F9E87F4448BF51EF03FE3B1534E25B0766D7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:15.698{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609A8FBEB2FE3B5E94608A0B78F08E0F,SHA256=102118F427D98E608FF81C992FF580F08994847593139461DE7A9ADC7581451A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.573{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CED19FFA23FA9B07900686032DA032D,SHA256=0A170F75A51A9D55F66CC14BB2EE1ED5B5212C7E9542A40E23757F863B2C278B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.370{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347EE62A61851D207C430989EA8CA9ED,SHA256=16B0B4DACAF2FC51FAC19A36A146BC126256C696587245F333929C0E296D51D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000232233Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000232232Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006f57b9) 13241300x8000000000000000232231Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xff67bd3f) 13241300x8000000000000000232230Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x612c253f) 13241300x8000000000000000232229Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0xc2f08d3f) 13241300x8000000000000000232228Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000232227Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006f57b9) 13241300x8000000000000000232226Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0xff67bd3f) 13241300x8000000000000000232225Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a64-0x612c253f) 13241300x8000000000000000232224Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-26 10:23:15.245{D371C250-4F14-6127-0B00-00000000F301}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6c-0xc2f08d3f) 23542300x8000000000000000232235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:16.714{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF005FE42F03C60690A61C746D948BC,SHA256=6BCE28FB1A4C492474C589FF357F495A5EC678BC94ED312C59B75896215876A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.823{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.824{80A11F3A-6B94-6127-2604-00000000F201}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.096{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63975-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:14.096{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63975-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:16.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE53226E85F71FB6BCABBBAF70D90E0A,SHA256=6E2FB11B35CD80A8E5B434B8F188B59661CA6A786D9B6F4F7103434548D07A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:17.714{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59D60DD7271A34495F44077E4F26DC2,SHA256=891A086CE9C7923C34914F17104702326A30B7FB6806298322275B7E0B4F8CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE784A223240227F1C5E5A5FBD9B793,SHA256=9DE2C9D0FDCEEEF15D6698C16184FB254CC6D794920DCED491FA0503B413652B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.839{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.840{80A11F3A-6B95-6127-2804-00000000F201}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:15.705{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.636{80A11F3A-6B95-6127-2704-00000000F201}18681612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44D4A68121202206F3AF45F5627228E,SHA256=A62D0AE293B74C2713A5C7256DAAEC42F42B9F2DA69DF40359C26828899583B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.339{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.340{80A11F3A-6B95-6127-2704-00000000F201}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:17.089{80A11F3A-6B94-6127-2604-00000000F201}42805056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:18.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9F423809B6960EE38D70E8B20B445,SHA256=B342FAFFB4DE09F9592A30122785F9C967CFC94A2D124EA5061038C2C55DD509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.417{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8375F3AD3B2F4746CCFDE2B0CCCF8D65,SHA256=4F1A815EAF384FE774EA3C4E6140437D5F442FFEA1BE39CC4C3633E7A6680AF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.261{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.261{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:18.089{80A11F3A-6B95-6127-2804-00000000F201}26924796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:19.730{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16D5D3100875F1B65276DD68AAEE419,SHA256=5DF3E13ECF9AB69DD2C5DC8960189D8F4BFEB41360749589641EFCD058B5BE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.526{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.527{80A11F3A-6B97-6127-2904-00000000F201}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:19.448{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B735AA006312F53A083EBA66145B9C,SHA256=6438341A440DC1F61C5345A8E5B7AF06193DE72F48D4DD6B98335FAFCB94DBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:20.761{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EF85E36CF1DD1F96B89A1CEDEEABCC,SHA256=78430D387BC8B13FCF9419B3D7095785CE7DF528E4D0467EE22A83BCA8433535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:20.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAEA03BFD14A2B148DF0F438CE3D29A4,SHA256=433AD8C25FB7E1FDA8350E5D4C95C052AA43A7844A14B8C2ACB46F5CEAAE92A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:20.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400CCBE9FEB0F83313168B843C1C4A00,SHA256=DA31757E5B64D03ADC79638C560613E78B73847B35C832302D2715C3CFEDD3F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:17.219{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:21.792{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C5B9B7EAAAFFC5E1989F29CCE0CA94,SHA256=A9CDA2905EE497690DD9A90F88381F69B20DD326B8CF0BBD4F7147DFCD95CDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:21.495{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C44D9D27903920CDA14C17017AF20,SHA256=3D819E4D04CA67424530D4AB6319AD9CD1329DD94986C748BECCCB58E73CCD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:22.823{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A2C49AC5ABB1D7BAFE0C237E927196,SHA256=8F5C2F87B8634530E5FEDC503E352F337ECC14E75650564C18EFFDA67909093C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:22.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA14315EFD68B4A56F16372120E0CCE1,SHA256=93CFBE473A45D3D6E6240706AF11225190A3539BAFECF9F4FB84594B7054E227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:23.855{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE031BFD94D8E98F7AE8571E7EF3C79D,SHA256=8C0CAD40883E3DF4E9794067F00F24F8BC5EE41F0235B569DA176346FC00EA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:21.720{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:23.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359318368D07A6D66C929FF59FBB0D4A,SHA256=924E1396DBEC3279F0B13FEAF6337814D50B9DBA0B2F06DDD186531979563825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:24.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C34A3F536B471C007EC1744462F9E67,SHA256=19BF9F2AA9482E6459F16399DB08D79E01256A6A87DC66ED15EF80002FEF62FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:24.542{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1CEACA531DCD9C3863DEAD08D9C4C8,SHA256=0A91FCC23C2302B044E1C542E21FA4C94EDEA2291E9F172077F7BBDC458CDF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:25.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D872B869BE1E60402975A94429C70C,SHA256=3361F306F623A3AC5E2799DBE39B255276AED1BA917C253AA6493E244BF5F990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:25.574{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ED6BC44B4D4168C10D0A1ACE8DDF58,SHA256=8EECA4F47F9C85B8C699D426AE56E46844FEBA6A5F23DAC581BE2854E5C1D721,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:23.188{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:26.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773850554DBDACDA06FF675C228205D6,SHA256=37CD1CAC4806A219189FDF7C0BB15DEEC8EAE90202BFCFBA975E39E4007CB06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:26.604{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBE78CA66B8F9307158DABEDECB437F,SHA256=DBBBC6FFEF0948877BE273BF5771F21CD8CFEDF1917C022A8C5DCE022C9AADB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:27.933{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AFC4E6515017AFB20AB445DCC6549,SHA256=7219395C1385D7A604F52415047F440D15403386A80275AC31C0F376E912616B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:27.620{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37B1F7DD96FA8449FE6FAF77A01F3F2,SHA256=6CF60BCCB9DD77F15D80CE0F32139970BBC9D73589E0569F0887338C0219362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:28.948{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A0A2B7A171C48BD0895AD4EEC11E8,SHA256=DDD943C7EF475D4FC3A2DD88A85FBCC6A46033BE844C94024FDAD471E32D4D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:26.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:28.636{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FA170822240DD7240CFFA79E9821D6,SHA256=6C86E2845BAACF35AB79F463B560B0642EEF5C62881EA1867365BF09622A478F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:29.964{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A1B3E9962183F6F74C0B313DFA0137,SHA256=C570C46C927632E639603270D9D90D65CFA9ADBA64635B77E348691EE6966F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:29.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F31FD363357A38CD768133E3EF2AEE5,SHA256=90C55C96922E13C353A4CCA8B6E8B7877E69662E7A0C271C297ECE850A6AF3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:30.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AEC5695FCD9D2095437CA04D3BAE35,SHA256=25EC33B22085E8B53A82AA536D8F1CF35590B045CB73B5AC7422BBCBA5B42F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:31.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC51286544C19BB8570205F245803EA2,SHA256=89F08CA9C7D879E061D918618E79924E7553BC08CDF1A376DC9386C138134EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:31.027{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C29B51D289475EDD4000B595CC45DE,SHA256=6019A8F9CFAB93637C463B68F1FF008971C6B8A61A17E32DD809FC625D5C3CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:32.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF632A52E8AFDF80939493DB44773168,SHA256=54238590EABB4925D71D4C860D5F87CF147E2100819AEDD7387445739229BE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:29.220{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:32.042{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B55EF4FE5C3DDB514ADE381432BFA6,SHA256=B803DFCAD244B185C459C9D32D5E4F26D7A6BCC2AE1EEE92349C555D75FF6834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:33.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C3EECC00A929319EF3055A94BC7B4A,SHA256=E87A5B6ECC53B872DBB8EE26419C7D24FD69651EBEF0446F59D567BC963EAB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:33.073{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA97855DE59A78060F7DAE8431E27EF,SHA256=D92687B46D9B1F12E43D6625F3D1B6A3DA9C422914D53F2CCB1B4F5ABA2A4B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:34.807{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111C9BBA5ED094D1F37580ADE2162DDB,SHA256=FBAD55998DE15B43058A8B6079EE47948192128E38AB747DDEF22F5558A9C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:34.089{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F925A5760DA22FE36D14FA1D47640B5,SHA256=1BD77AB1D6847B5ABE26FF357922A1F5EFDD548C497DC8B5E5AE693AEFD6ABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:35.870{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE9CEDB1D6EFF21492D50174AD5B62,SHA256=4FC140F3B590D80F3FA459648C3952E9BCC409B8B4D1BCDC48546E0D1DD9109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:35.120{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9033A41B2AE0877F465A2F810EE9C264,SHA256=148680B0C122D56C1BA0145B0C6790A520B3F82CA8D50D661492F925D3C2E4F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:32.627{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:36.886{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1FD9FD425306F5989375023289C041,SHA256=30570713CC264B2BBC5553A847668EC4F9173580347199CD44C4314BC985E09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:36.151{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFC177542861A2AF040F0F2EE2A425,SHA256=6CA4FC0B6C3E5D7A19924B5E29247320EE7DA06A04EE9CEF5B2608F8A44E98F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:37.932{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5BC13BB265903EB512BA6400366BC1,SHA256=79DA80770068785995B80CF694D2299F39A2C487F04C03A3CBB2BE7D7BBE1F60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:35.001{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:37.151{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B30B3A977F2447AF46C2B8A33BC38,SHA256=A562312A9B30F9EF713FDF445DEAC0C78A0FDF5295E7A0E6D61A0BC158E6855C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:38.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61FC7F8EE5416810D7E73C958161CC0,SHA256=3D5E6447FBE16D77F2B47DC6F263F79BBD3ABCEEC090C27654421297480C40AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.261{80A11F3A-4F17-6127-0D00-00000000F201}900920C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:39.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C13723291C27CCE4DB09FAF95C10CD7,SHA256=0B14253C8EB3A8E62A90A594252D5D73FD2681EF8C3BFD402A226D7E08C2BD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:39.182{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA38CB8B7B4274BDC9935D0C20C867A6,SHA256=A70D855AB9CA4175BFC6F803ABD93A1CDEF7B9CF68701FE82C413C9F5A1753F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:40.183{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25562D95A97B28B3122BE27FFF303BBF,SHA256=6B020ACAE6CC373B98718FD4ED2C6F6B7C8E002A5B72AC58805A46FC653F6404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:38.611{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:40.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDDF091DEF3FEAC26629BFE83A24121,SHA256=2BC36CCEF15E66D25AC4D23C8E647CF04E84792B1E81574B676935D05CFE8A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:41.245{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1643146151DC3D12DE6023FA25A6C953,SHA256=AE0167CAE3A584A665697EE33ABBED045ECDE8148D260AF6ADA6AC9926404DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:41.432{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB00ABB9C66DF2F0321962CD84B5B4A,SHA256=D6A81C254CA851D46C5BE7CB24DB785C085C528C7CE081508506289D098DCC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:42.464{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDE5097360A369A9E394E9275C8F8D5,SHA256=62DBC8CA084AAD93AE0D9654FDE162CCEB23635ADC6B62ECE9A62B7E62EDB17C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:40.048{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:42.261{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB0DD393F779CC1CCE210ABBD206FC,SHA256=87D251D23E6F05A0E0BD61BB08A7E3644081A2279DB3A5B2538748B5876083F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:43.479{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D4314275D02CEA6E9CD4BC605FCDB,SHA256=161859EC4E9E80FD8D61FEA66067985AAFDDCD7F3DA88677CAD52B367C6404D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:43.433{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0B53F0B92018D891CA26BEC112F7025,SHA256=840A7C2CEC79032CA495AEE4A78BD35D9971C7732D9D6AA21AF28830CB8E2F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:43.261{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708D7E10FE36547A2C1943D770D1F60,SHA256=E9953AA704585FFCF6BDDB26FBF95E98E715E7DDAFC44466E6538C3315C9EE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:44.510{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC289688020D2E9068F7C820105BC424,SHA256=41C165CF8A667D29EFDD5CEDB36480C9455D9F3B5DB5CED800B02E22082782AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:44.355{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA06FC3C74D14CBE67E11CCBB29A8F4,SHA256=3EED198647A2AB69479E5E42701A0CBDC4A43FA55E12ABEA7D6F50FCB4A0A39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:43.751{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:45.526{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADDE67124887B314E3B6207C1544B91,SHA256=A2CD903A04AA4682DAEF38E813D9AF0384F3ACDC1565088849492B7F79752B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.870{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F15-6127-1400-00000000F301}1080C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.355{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946C66B38A885FBA0F6ABA853653DDEC,SHA256=DE25483D4BACC50536CCE54CE5A7EFAEE0F205A5D34E80B694D6402F35543B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:45.198{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6CBA0B69DAEF7FDE0B964F1C0BE1AFB9,SHA256=F480894E213616C35545CABAF783329C32F89559EC7DA98C0D2D9E9ABDDEA7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:46.436{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-118MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:46.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0CBC35DBC19DE23C8BEAFE7B9EF3DA,SHA256=98E1B4D43D5D5F8F09C72CC95FB4FA50B89CCD1E80FFEE1A04AE2BEB0ADB5F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:46.682{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A5E1092415C0A716E56C7CF75DE69A,SHA256=96AF931856E232D059A93847B22088F9FE36799FCD033C8DB4AE0D425F9C3014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:47.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C879057B55ADE472108DCA2A766B52A,SHA256=DFE511EC39E98EF287B5CD88E203F70543A5C336FEDB415971DED361961732F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:47.450{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:47.418{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43ABAC77521A2508346453F582ABF92,SHA256=BD3DA5BC6AE0FB104E8EA515C7F1A5EA5A5DADA43D1B00431D20E4E5D3217D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:48.714{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D0F90F140DF4DCAA91F3126FFA2273,SHA256=E55E3BD08A3BA3FB72E389DEF6EA90218312A03CD65A2FF4BDD2DE49EA6FCDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:48.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F0FBF0BFCE5CD46D91DDA8E1252C9F,SHA256=50672B4B672FFA8090F9F1B62023A1C0AB517E093DAE6B15394D21DE441526FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:45.158{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D43E2382243BDFE40B27EF37F1564A3,SHA256=299D10BC51BAAF030EC41DF761325E77949EF835AB96AA74E808B5C71A69C1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:49.466{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5DC635F12D8AD2C78240E7EFEFAE80,SHA256=926FB4017119D0BFFE6FB3707C6955E208B79FA7D5A35F2F661D10C1BE843CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.635{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:50.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F2A9C984A89B477990D724AE8BCBC0,SHA256=40263D217898D54CD1FA4FEFC5AE6A0D28979D6C315CBB1F928B52F5DF13DD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:50.760{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ABE6C6CADD48A93468E13DF76A8671,SHA256=5D7CD4D66237F83145DB7A93722B69F83B56B1A9509D3FA5DDA826A0DB9F449F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.205{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000273291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:51.760{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83434AE8CD63CA09C6FBA7311B8A12,SHA256=F2E19B2A24CE6E9B66ED96633ED29C5BEFCE8B2D8C27C7EB281AD60D51CB66C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:51.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67479A5D41FFCAB97AFC05DCDB1E7984,SHA256=2FD5E181E0134233B57679082EE724578F2467D3CF928588EEFCEF29C6775DF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:48.644{D371C250-4F15-6127-1200-00000000F301}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20e0:2601:8273:fb42win-host-944.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000273295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:51.033{80A11F3A-4F17-6127-1100-00000000F201}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000273294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:49.674{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:52.776{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09A6F59E285025436C2F4300BE9DCEB,SHA256=F1FA3D77B9589BE82E2EB6E501719ABDD46A79802714142051393F4C8B8C5B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:52.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B92B565D36ED00A7FFDEAA2A819A2D6,SHA256=54261244620C31735A0A1AEE033CB420F8A5A85AE86108B23E7D32DD8CEAA267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:53.838{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E6E9BCFD768D0526F085ACE6152B99,SHA256=0A367AF91514D2C6EE822EE719DFB1064F4C3113A62804D6403D3F379A368B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:53.513{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4733F6751A4F8D8A8482B8CCC3730E,SHA256=A936347C8330F4C488FD0B9A9047A36CFC0CBA80D6FD6B438EDF487172CC1F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:54.885{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB93E2CBA03681803CFB43387AFF35F8,SHA256=7ECC798BBC37B5ADBEDB67F03BCF3EA453B1003B0736E1BF063BBF3F1498E63E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.888{D371C250-6BBA-6127-E903-00000000F301}23122540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.716{D371C250-6BBA-6127-E903-00000000F301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:54.544{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEFA651D17910F4B5C2F757CD74B4F5,SHA256=42FAF3B27AE83711629681CED356C7D5FB6821C2A992018DE8C75D8BAB9B724C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:51.143{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:55.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2A17B654430BC8D956C344BDD1DCE9,SHA256=DE3E04546F84D0FF6ED015C38AAB4740DE61FF697275777C67FCB8944304502F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.388{D371C250-6BBB-6127-EA03-00000000F301}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:56.901{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15629A2914B5EB2BB639CDB53DA6FF4,SHA256=FC4E481B5CC446115598636854E617DE5292F08B18B820A5F21A7165E3C158CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.497{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB13B3BCD6684504538AADADB126895B,SHA256=A4A72538E480300DF65BA8E9A2D57F255A7504E13EF1A0368D0C5B6C9BE0597D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.030{D371C250-6BBC-6127-EB03-00000000F301}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49BE82F4750DBF72DD04C71FAAF3CB64,SHA256=B81BC70F60502256FE2A8DC0520F9653474FBA36349FC24DE99470A76D5F7CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:56.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635F36102B3B44604B66471DA8636607,SHA256=870650AB59A34A216A0B9694EB4D8D528ED441948575777C63E10621EC51ABDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:56.338{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:57.917{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC711FC2B6EED90A6AF8A7C856F5A0BE,SHA256=54B7F03A2373DDE5E8462350972C132B93BD062961B9703177BB1F3326697C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D80FD3D128C5FCE57181AD3EA3544F,SHA256=E874D397ED97CBAABBC994075935AC765EA44EAC034A1174AD9F8BAB3531F533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:54.783{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.028{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB13B3BCD6684504538AADADB126895B,SHA256=A4A72538E480300DF65BA8E9A2D57F255A7504E13EF1A0368D0C5B6C9BE0597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:58.948{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D067C835482F6FE2DC329F2711965F1A,SHA256=170BA3AC6E01ECD50C3150AF56338E745A7BF1186616C3DF9087F46E01F4FB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:55.456{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000232347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.294{D371C250-6BBE-6127-EC03-00000000F301}3163036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.153{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.154{D371C250-6BBE-6127-EC03-00000000F301}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:58.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C96796861464D795D6204C1386E679,SHA256=DEFA7F4D2313E222FBA3FD7474F3415C66A12B8016C87DD7586E731C9EECFCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:23:59.963{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179009722478E1E6600435A1C0E20C19,SHA256=1682A886E9446E1383A822B0A408B5BA312DB79DEC8D30ED48704F9BC11412E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.622{D371C250-6BBF-6127-ED03-00000000F301}25561876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.450{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.452{D371C250-6BBF-6127-ED03-00000000F301}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000232351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:57.065{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.294{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4836DFDFE788270F5E0C23B55975DF11,SHA256=EB2B7828DB98585FDA407700506898256EE8DD869E502B33AA5652724F0B1715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:23:59.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7651FC349FE6FFDE5BFF071DB330366,SHA256=8627C70DA56E890C65AE291C6AD45C84A83C64CE8CDB929B99AAE1E8DA404BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:00.979{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0420A5789A191B1C8454B194904BE9,SHA256=6DB89E97E33C7BBB81E02EC67C8BA99698F9A225A34A33D0D6739EDE268E8F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=652D19E0C75604CBD53681CAFB7C3DCC,SHA256=8A9121312EAFB2BBC89336CB725954928BABE18DDEE1758CAA4B89FE75EF24BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.247{D371C250-6BC0-6127-EE03-00000000F301}26522332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.075{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.077{D371C250-6BC0-6127-EE03-00000000F301}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:00.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DC129891E37FF9EE27B05E2FF76E03,SHA256=BEE6F001CCD5107AD4CC169EEC05E55E4486872F0031B669A8C249244E9CA467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:01.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6082BB4861DCCC3A99074A788AC458D8,SHA256=01EE00D6334F2AD38E0B89D05053C0B30DEC4CF5896CDEE4C37B7F1A60DB66F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B848C19EA7BB3CECF78F41E5CABEA4E5,SHA256=6DED2AF8D7E6B9AED11EF84CDB62F3A20113EB9174D1A18C0373CE81C3D34D09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.091{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.092{D371C250-6BC2-6127-EF03-00000000F301}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:02.010{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C0ABB9DF60BEF4FA67695CE44652A7,SHA256=3F74F548156ACA16173D0B63A330E9C1A85B1A3A03576CEF0A74A819EDED8339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.607{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-118MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.496{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F17-6127-1500-00000000F201}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:03.026{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FBA144BD215BA8ADB445714A511C52,SHA256=0ACE2000865C71658D1D493E198B0A4C69585503BD6CF272E7A0D48A2D9CB6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:00.798{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:03.106{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77E110D016D7E19915247AE3E1DEC83,SHA256=59C9CE1A865A7BA842837F91525F981CBF85F44397CEDC9A5559B3A23604AF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:03.106{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50C885AB56F8247212A61FE0EAD0779D,SHA256=8A30DB7731C52FFDA14F6F305C48B31C12782391631C588A357A328038739DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.621{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0678334D8B6CCC219E999346D065977D,SHA256=ACF07E1A3BFB2099CAC0BA1CBA37690954254F366D9680487BE0EC8337D881C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.307{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C722B85166466C40B687119CE8DADA4A,SHA256=BC18CAF23BB04E708E3AB712C9A8BD6BCA846E03DF0F91D3C04BF665690B101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:04.057{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A930F0A24140BA6091A7869180F613,SHA256=53F12F51A40EDC76EE74FBCE96692D9A793ED6BAE1C91761C26336B0D62DDB76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:02.081{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:04.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0818C7ECC04781A3E6A110F1373D6F7C,SHA256=E7E6CBCFB458DD3BD53536EAF22BD83CCC5B21E4FAA26A6F23003952C201243C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:05.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B346BAA5A2A8CD58867FC2D88C71DDA6,SHA256=D559768DA0D330CEB58BC0BBBE5EE8E3CC399FBAFA1A4E208AB0C8A3FE805F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:05.102{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C142382253F19E0E28D2E8E44A4C1D03,SHA256=C57A63120ED9F6115B3F59C8052E5ED0B1B05C8A61FE6D7FCCB352D323A9EBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:06.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF5E41F11E98C3ACCA0A180207C0D9,SHA256=47FC9A149BDC5957043033A886F8FEFE66A084B6DF742E778437652BBDAEA52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:06.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A23F727E5097032D5A5D662027AFDF,SHA256=9C23A58DE2D759CF38B949B4C67CE642CA188EFF82D6DB0E9D14C82E355E0051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:07.199{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CFBF09DA69C63FB0391D3074367FA,SHA256=0FC7F175459BDE7E4461EE9B04C95D39E8C93964ECC372698EAE4758AA4EC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:07.137{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCC714410835E0F70A36F5A153B44B0,SHA256=11C35B657108877B22DDE84B21ACE30731031A5D0F06A6462487238EEE11EFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:08.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B7838AA95F4DD50282CF4ECD19A6A0,SHA256=B983B6216C58BCC183740041376E48953789761D32C05FFBA2063E452A3DB2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:08.200{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DECEDAEC405640C8C5F7798EEF530,SHA256=30229FD3CB06F4DEE1564D35B16D8C859789BF6B3D77ECF2288F100B22EBF23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:09.246{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FE262CE39A650963B03A80ABB520CC,SHA256=6ADECD0B121A85CA0935B0E215580DA867AAB3399431C0945B94CBA59F714FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:06.675{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000232406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:07.176{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:09.216{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE321C77AB6BF42DD3DABDA49996D21,SHA256=838C910E2B755CE881317CDE43D3BD37F4F3B9BCF13F7CD5672F32AB36C85F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:10.231{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA9166FAEA64EFA4235E31B5560573E,SHA256=4E66FCE95E35A77991A1E7BFCEF93D6AE24D61D2008F7CA86F96D2E6516E5DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:10.293{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800D18985A60536DC6D98F31154E90BC,SHA256=54588E01271059CA2DCE1B359377284CBCFA955F1338D9A3FD2DB59D2C8704FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.902{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.903{80A11F3A-6BCB-6127-2A04-00000000F201}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.309{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FACAEDC55FED3EC547B0B7F92A358,SHA256=05E86EE1CD3AA1C843842DB7F613DA5294C2426F273FE1771107670CFAD9E54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:11.278{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A19892DD201AB204A98EEC78A9AD2FB,SHA256=E93043E20A61704EAA44A37453E533DCB59B9E81C4EE0B882336573CF4CDB9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:12.294{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22D38B8F3FA518C83173B1F12377F19,SHA256=0EEBD7FD1AA339533821FCE1875A43F5B091191D8D5FCCD9F488D63FDC44BE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C9799DA3CD52D5F7528F3838D57BF3,SHA256=B03E23AC801D858A1D1D24444135BA0462CED224829A7690B0C7C68EBE5830A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.918{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0678334D8B6CCC219E999346D065977D,SHA256=ACF07E1A3BFB2099CAC0BA1CBA37690954254F366D9680487BE0EC8337D881C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:12.324{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66B0B358B55C1D74ECD1A1790514C00,SHA256=8890C1312DD39994714B30A3855FF07642D35926A4FE542E3FEBB5994EB4D522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:13.309{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08B3EF6569244AB2D4F9D044AA1ADCF,SHA256=3CD50302589AE830AB65EB1A6B5B04E8FB69D2413262077F0B2225C0A81A1CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.637{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.638{80A11F3A-6BCD-6127-2C04-00000000F201}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37402B87AB21E22FE665A636763C2F3E,SHA256=AA5564F045A9F20F4153F5CE39C23EF3FD8BF40043F8353379E69E54565C632B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.262{80A11F3A-6BCD-6127-2B04-00000000F201}20283140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:13.059{80A11F3A-6BCD-6127-2B04-00000000F201}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:14.341{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0411F6223990E37D2EAECF0A547CF3,SHA256=E68E558A617DD9EC9B685C1BEC8CCF781043972307A517AB490EB14EB30ED454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:11.815{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFDBA71E0D08ED0EC8E4E137FBAA7F6,SHA256=F7878653742AA9B6498B756D6E9504513BD3E0DEFFA65730ADB51EF908A06D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C9799DA3CD52D5F7528F3838D57BF3,SHA256=B03E23AC801D858A1D1D24444135BA0462CED224829A7690B0C7C68EBE5830A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:15.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63ECBC7F32AE26D910F8FE77A78F0B4,SHA256=141166249C82C27CEDDF0EE90F3F82E2639B443483274C4D9CACCE7A83D612A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:15.543{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC34BC6C8CAFB76579FF7EDD7441CCC,SHA256=0961DC4AD1A18CE822D7E87030A0EA5F378DCC99252629FD37F3CDFB8DE999C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:15.371{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1A34B135A649195BD9AD694F0B5512,SHA256=86447E90C924F7D0223C47B762972E57C481C037895A1FC9A2FC50A5CF66315D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:16.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A82FE4D162DEFA481E41D84144E43D,SHA256=F9FAD86F9211FEDDEF0AB355AB9B833ED54D1F1DF525DB537D28C30287E9B64B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.824{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.825{80A11F3A-6BD0-6127-2D04-00000000F201}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.097{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63988-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000273360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:14.097{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63988-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000273359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:16.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2881497978E3662DF701213BEA748F4B,SHA256=612353FC19C3F4F4D30090ECF496C90465AFED45124101F6A2382AEA17E2E8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:13.144{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.997{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE600620875D7C6DDBE7B38D13160472,SHA256=2A05EB003BAE34AAC8BA8765A1365789203ED5CBE24074862739CB40E1AC1712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.543{80A11F3A-6BD1-6127-2E04-00000000F201}44483804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.434{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42043E4B8F2F108D4AD035EFAA232FC,SHA256=3AC3D4A259C196348BDF18FA7A9D14C4A5BA7ADAF9899709DC36A01D0606051A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:17.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550FD474A4B13DC49B823F9FAE55D018,SHA256=D468C69078A8A3B29DFBBA550AADBAEAB41CF8B4ACACD21E2AFABF0AA428C91A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.324{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.325{80A11F3A-6BD1-6127-2E04-00000000F201}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.043{80A11F3A-6BD0-6127-2D04-00000000F201}42361572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:18.668{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7288658E1909A2C44834BD184E94561,SHA256=A8478F7A617D649FD6CC53C4816A1292D11751540B15BB6144EF596A9D543819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:18.434{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960E63EA09AD50546F05AED3D9336DC1,SHA256=8C2B36F72CCEABA1D5C6AB0EEA2323C7AF8976C172CD38B857B80DEE9D7DAAB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:18.215{80A11F3A-6BD1-6127-2F04-00000000F201}10721076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD1-6127-2F04-00000000F201}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.996{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000232417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:19.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5431947A313313B38D1358707DDDBDEB,SHA256=96C8E644B8474CA50FDB5F9152698FFA5FE62B279F41DC961DC7D7D464BD9136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.685{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E236928ED5ABB920688D375DFD9BFC9C,SHA256=B670205BB5D09708D959C8172E8C27A39C946C24C1D840CAD83C81CA3CE1A2D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8405068C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000273393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.513{80A11F3A-6BD3-6127-3004-00000000F201}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:19.027{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC761E91F6B9D22C40529E6CEF85E57F,SHA256=E6BDFAD131519F07691330473ACFB4EA6C4235DAAE7463D943C9946A5275C5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:20.699{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B744E712A786C454B505D17738293DD8,SHA256=0F2A4C63CFA264A3F908C519FAD9F1E753E7087D52BFF30B34828802E897BC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:20.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C7E3F33099BBD54A837FD2D4679F7E,SHA256=A2BF218A0F7F363108C69BD6DC1470C4BFE47EA7291AE5DFE59971EBF90E90DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:20.527{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50595520CF633E9B31BE0728B4239CC6,SHA256=CB0AF4AC145C4093612B8D66C3E5B2C3AEFEAA3247AC13C92BA5CA8579CF6473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:17.582{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:21.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2502A33B622F8FFC1AB105EBBF1E2E,SHA256=83BD9E907825EF7DDF02C61C55E4E5D35EF34934A41A4098B956881A78535F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:21.497{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A618545E82BE899C26C759A06624987,SHA256=BD0694DCF0F492F7295B6165D3DA41E53D8833A2C7017E22F7ABEB0E59190412,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:18.159{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:22.949{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73CCBC188D5264209CDE5EF72579B49,SHA256=88DE5EA62A3B8EE17BD787BF6461580650B29BA64C242A758CB4DB63D067D5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:22.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D56323388DB2A7B6213C4D81D10E98,SHA256=944210CCC4B99BE5CC7FF73B037034D3DE962287C7C942A64E9FD7A3AFA31C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:23.965{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B277451085FC03120828F7FEA16E0D,SHA256=30C94197BD0A99D1AF61B4CE77CEC622C8248B45575B707DF6C35A6F65A1BA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:23.512{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DBB6A094D38AB32F8561CDE3B44C50,SHA256=0C388DF186464B5EF5C83DC7BA3BC94409E2454BA8168EC8E5D209F1E3CAD3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.996{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4719ECE23A224F986A0A516523A36441,SHA256=4AE603CD3A4DD053B99EC13F660F4A4CD6FBFC8AAF3EAC5E8F8970F56A96C159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:24.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736D771B6C0A0B48C5F049A96A00EF58,SHA256=8C2AEF2480A5B81078ACA7EBBB97C91B24A5AC7A3F1DCBDE06FFFD51E673CAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:22.737{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:25.559{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7346A2B1B4ED70B55529188E3B0C6479,SHA256=978150F3E545E58C1BA822E123FA5843389F4E9C914006E19688848B462387CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:26.575{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083DC8ED4B8E5F93C9635B711336C40D,SHA256=DFFFEDC489C6CFADBB9826E9931AB1B5F3B77705EC8476B7E61F9686DB58C387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.522{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local61138- 354300x8000000000000000273412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.522{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64833- 354300x8000000000000000273411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:24.521{80A11F3A-4F27-6127-2300-00000000F201}2724C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local49774- 23542300x8000000000000000273410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:26.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BFF2D7C184F43E290BEFC39C9E82E8,SHA256=52554E91FCD3534D70D7A274106F9344A8EAF6E22E024F5E72AAE23C31568DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:27.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7081223C4F393A8303490B13ABF59D,SHA256=B2079AE6654B9AB65E96BB5D9FF752F21EB7AC45466101B7ACB4C58092EF130E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:27.074{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89796F491E4A44BB379FFAB4CDF65945,SHA256=7C8F6FE11877327492192C7BD96655DF766AF4C36D6FCB88329B13F933D6F8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:24.175{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:28.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6605F9EFBADEDF7B99EF40454336C4,SHA256=6FF23827D1FC924BA8D268A17651A2D62556963400FA6075CD3DCB99E42C14D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.449{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2800-00000000F201}2816C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.449{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.090{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48082438F2D9A58A0EA81AF890A22A56,SHA256=0D4CF8F6C991DBF24D530C1E7CD68E59ABFFC9BC5E69BA35BFE1E2BB105581BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:29.653{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98BD76D5714464360708C8E2968E77E,SHA256=88E5E4515E0F0E795AC1A3D81D7B9BABA610E304D7DAA8B81FD5A926121CDF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:29.121{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963C9D31814FDB431876F72CE0AEEA2B,SHA256=FA82CDA742D2B58AE81DD28373E3A87E2C383183043A99BFD9A0038CAFDD2AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:30.700{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E3F6A8A5BAF05CC17FA426C42BC86,SHA256=8860F38A83D06B77371BF8BA77E218FEE15FBFA5BB38C9C6601EA222579CE63D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:28.690{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000273421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.308{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.308{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-6A73-6127-0504-00000000F201}1620C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000273419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:30.121{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3567628FA8118B8DBB9FFEB91D2F309C,SHA256=9CC0332281494FFA7C85AFA095024128854DEB4BB37613C23ECE1AA32CB9D0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:31.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB449CBB40C204EA16538290E653DCA,SHA256=8CE00B7183B786E788C69C2CA4E06A195E9E29D6F32EE5FE588E1C199509D4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:31.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A056655FFFF6CD4C0ACFDE781CA5B0D6,SHA256=1441A14EADCE3CA951DD722796E4A35A8EFDC00AE223A4528AA0B2D0E140E0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:32.778{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F198B591E54E9E11F2D78FCD3FE95F5,SHA256=F5CC4F32D224BA82AABF1780F336080313AF98F665803542043B0E012D763795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:32.152{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63175817419CA143884EF8F96D48E5CB,SHA256=3A2F6BA7B9066509553E0DD79FAF83E487220DD8277698206D1C73846FDAAE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:33.825{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDD99BF230EFBB6FAC9A08AE5DA9E47,SHA256=0D6DFC3365E1179B9F3DF4AD5299CDEDF5E3E627938D607A6455187CDCB58DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:33.183{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCC531FA0655B5DE8EB969BC380A21D,SHA256=E768F10FAF1340A4302DE87E83F383A85A25BAF2789663465605770F17B1E491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:30.066{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:34.856{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1710043F3B67A0DA04AD31BA0D0559,SHA256=4CFE068AF6A86D0352845C542A921E0E97E351AE1892870274727CCEF069B78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:34.199{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C361D4C77AD29D1D527590E51D20983,SHA256=C3FEA203E8C9B251B8350A1C4830369A1D00CE9131BCB0F6070663B16BA406CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:35.872{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C985C9783D030D6F4CF37C6244134CD,SHA256=940B656FD64A6E9513F8CDD5E3C6C65555A5D2ABDFF801781ECD16B6333EAF7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:33.815{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:35.215{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83703A14C2BAD83A0A918EF862C74869,SHA256=3C4BB634DE4A0BB2AE0B9EB29CDD2BC2AE5486EED0ADB4CA94492AAAA16940A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:36.903{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E332C051EA812ED6E6AB8103DBA1EF,SHA256=C4B936B690F60604AF0D2105600A4AA866C54080A1518332D4DD2FC8105E7285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:36.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAF0410D5006A352F853AD39D6CE735,SHA256=E272F097ABC2450258FD4E0A286D5B631D035B58D4C67B6126C75762975BFB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:37.919{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7EBBF1005F2A1AA3EF1763A6AAA66B,SHA256=89A9D2E6F1FC856E784A97C0A27911A837E8C70D519165857C756D2DB1D45415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:37.230{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA2C1C2B8AFEE04DCF5E763BEDAB457,SHA256=C9223D275671F6BF79F7EA33D249DB1EED3D8457C632F954296E73671E258918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:38.950{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B72809FA4B4E6EF2F751224ED066E7D,SHA256=9AB256C2E46FBE3DD359ACF707AAAFAA21C3F97755E50956A875FA97C0E0231A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:38.246{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BECCDF724CD44828D1071F9A41D26B2,SHA256=115038ECBC4B1CDBAD71C3AE4332F7D33604688D48813C648698F4F91828B491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:36.066{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:39.965{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E9DC75F42B24387CE0789C0E518FFF,SHA256=66D3D4BFBD2588D96E00D3C002665CC1AF588801871227ACFFC90FB855C2FFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:39.324{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7B949342A44ABC06098E82F1D1F3C8,SHA256=0C44BEFBC05C53DC84875777168553EB42AE4B1E73CEEB9C6C089058441EB8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:40.997{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82A87D2152182A34ADE595430AEF531,SHA256=55C6C52362EAA89DB0A114BD0B830B1B708C76070C717B7F92204B1250E6CEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:40.340{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DA2CBB3BAA6A79C0CE93D95B749867,SHA256=B98F98F137BFB3823D8E8D554CE9FAC67E09E4780C5FA0C0FA70A78334B0B9B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:39.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:41.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345D14D415D31ECB2D2E9B31CF709F4D,SHA256=585DAA1F1DD2D90F3E1BAB9CD39A832AD88FBA470408DC042550D0845ED36019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:42.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23092647E1DCA62777E1A6D6A6794C4,SHA256=903E505ED1F78D92F6A116D4E5A32843A0042AAEC31D9AFAC14818FC3D969DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:42.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164D3CC4B3E6DD5640C3485A0A53E6A7,SHA256=F5C1CA28F0F3C50E23DBDE08F04A20B4F7E6747A22D07994901AD934B6FF8381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:43.434{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FF4A1CECB93A6AC6F4E449968E7DCB84,SHA256=3E706BDED268282A541FA350317FF72E1D7AC47B80397F44BA918890A729D229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:43.012{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7B2CD44C6AE89137318A89CC16F2B3,SHA256=EAB0C8B8A1926BE90C83E12820DE2F06D11E87F7094C92004D0DC356D948DE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:43.402{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53AE9106EAD3646AD5C2F5709C686B9,SHA256=E65FCBAFE72FFD64F48BB8ECCF7DDB98B0A542FC25F63E14811EF114BAAC8306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:44.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AB052F743117D726A0A14F2815CFA9,SHA256=AA9C77C508F1BE6A3313650CBF64FF87B1CF77E89F431C7FDE3684C1A5707E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:42.034{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:44.044{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762F61B5A5ECBB9AFE0E0ADCDF461704,SHA256=94F008E4FE77C27486B3F35245F6A2AC3F4FAA3C5265FDBCD84770CA8AC0F4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.418{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A73167D2D953438E6868FBAB7EFCAAF,SHA256=5147E1D82FAE6103F6995A023FB96D3C67DC45257C81055C8A963D815A542A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:45.044{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B937E729235A17A3A6EF88786D395F8,SHA256=4C50E86A6CA4BA502DF6C71B5951B028B52F6305FDA0B2F3827DDB616BDBBC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.199{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D2D11312F81746DC3A8162B0AB3105C,SHA256=B8DF8E1B843BC559682C2FD10914C248378E72D828165B6CF6DF11EFCF8D0133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:46.433{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602DB5723B5773D6FCF122E634CE8EEE,SHA256=4466ADEF2547161261E38317D0A5B92169665B558C6B36519E4787ED12E8150B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:46.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253CD24D802149521A7B3E5CC25E830,SHA256=49DE8906A9A94907A9394564EB39DCAD7E81CBD2B6A9B066B5BD9570016A6B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.970{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-119MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.090{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41729C31DDE082B78AF6D25A7049793C,SHA256=8F82E5755C17A8E92B896CADBBD628A5E8FD9F12C9111EAB1A359BA2C90EF37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:47.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F89D4C4F1A0C0ADDDB9D91FCA0533B,SHA256=DD110717F02ED72D053040F194B305D44D5D34588258D59B7A5EDDFE505D7206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:48.465{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066EDA9C308E6D1EB2A23B2B6F11184F,SHA256=9B1B032458F34984DE2A909CFEA8F28657FDE157A9CCD16F19FD0A8F10EC6601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:48.977{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:48.100{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F62FE16DBEFC7869C05EC31657916D,SHA256=B8B22B75B5BAB6D7105997B4FE69F3EC94BEA3C100E37D79090AE48ACCAD074B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:45.659{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.636{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.480{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60333E0CF39FFA0BDF24FDC3BCCCECF8,SHA256=FAE937C86ADBDE51E1854B3E86ACBE9EF121832E1659BCFC02B87CA65789A6A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000232455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:47.122{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000232454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:49.146{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24D2DA106E8C17111D2F7522DF46BD,SHA256=8213D497174BF18E3B934204BF1C8CA64881A0C66086AC57C3892D7F47DC87CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:50.496{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141ACF8A2F5A67F409F8909EC9EA34F2,SHA256=856898791E198B0DAA1FB011D39AAA0A94D29829667B543916716CA042F3792A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:50.196{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FE585CB000A929BD188AC0ED870811,SHA256=3F351B53A7CDE1EC838EBA4612C2A4033B5D14A6C34E2E197A4FD815ABA25335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:51.211{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B836A829888FFD9B8CF1C7B5840F30,SHA256=08BBB7197C46F46AA087071A24389C44F156268826493BFF02064EC026D96424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:51.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D444E0A88FFA717046F5F9FCEF0D451E,SHA256=FCF3DCCE19F22C48311F6437987C40606357139B68E3DA5C9D0039FC16548B86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:49.206{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000232458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:52.242{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E74B6A3CA04E0BBC6576F6207DC072,SHA256=F85F52DCA37B0FCF6843D6A3906243B56CD02C7963B3F1D1E766ED88E8344493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:52.511{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4AFDCD514B61D9657B079F478A0B8E,SHA256=E1A8BBC0D9020CFF22BE7E5DDBECE40CCF51D8592B4D7600514756F77B134037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:53.558{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA704289E780B9770E2D5F02A4DFBF9,SHA256=2F9A1C1C0BCB0F9D7BD783A57ABCF70571BDD1A447F9F60ADD02B5CC8D315376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:53.258{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E750D7927B9AEFEE28B8A819346E47B1,SHA256=8FC4AD8D38B87646E1D5AABD63658B5AA0DF4EDF85433F1BB37472D82F9C7DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:50.675{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local63996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000273453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:54.590{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1586B265ED7BE8FEEF4BEC6AB5EEA20,SHA256=7E25EC09C4516CFC2C34B4123A3511B5282849FFD181B068284B279315068AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F14-6127-0500-00000000F301}412952C:\Windows\system32\csrss.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.711{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000232461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.712{D371C250-6BF6-6127-F003-00000000F301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000232460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:54.305{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98E2EE5AD8812D284130106C6283AA4,SHA256=73E88B827A9245B3AEAD0E5AB8B49C6DB3F6B9460E37AE201C6D56D938E6A62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:24:55.621{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460F4E5EE0B2D8EEE51F36139D54EB70,SHA256=4C98C4C5E4879623446C53146EA3F3463F98C7B9372189BDB424BD119CC44AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000232502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6BF7-6127-F203-00000000F301}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000232494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:24:55.883{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe