11241100x800000000000000077656Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:22.719{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077655Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:22.719{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C70AAB9D6BFBCEC8527E1D9C7E287D,SHA256=9479E86BBA056B5926941AB73F475C53A30764795138D1F2CDA0EB7D73FC9313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075489Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:23.708{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B230C68334E5C53B54BDE61A08CEC42,SHA256=D396E3D36CBFF308C538DE85F44594E86F997417B4520C29B7AEC64357CD9F3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077658Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:23.735{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077657Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:23.735{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D8AAC842BC5417F7E9FE565A3CD991,SHA256=9F0103DC6ED9CBADD8E2C811123DD9676E8A07F60833F1FE1A8587E6E3D62AEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075504Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:22.309{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075503Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.723{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356F2DDF2A2041D10510085E7343B3EE,SHA256=F43D393C9B102D43F6FC744743BDF933ACD42058566120077E8773F5CED26196,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077660Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:24.750{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077659Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:24.750{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E58AA6E1DB382BBD82B75F699526DD,SHA256=954E269390A18C1FCE094BF06253D8A5006EC033159FC4799466A2677A6D4616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075502Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-375C-60BA-D30D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075501Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075500Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075499Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075498Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075497Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075496Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075495Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075494Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075493Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075492Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-375C-60BA-D30D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075491Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.661{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-375C-60BA-D30D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075490Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.662{89999F75-375C-60BA-D30D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077662Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:25.766{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077661Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:25.766{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E612B4F70189A4C6EC47DF1FD86CAF41,SHA256=5A9AB985DC2A014FDCF514D8086FB2D95FF3B3DBD40108005D19A5B9A37D2E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075520Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.723{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169C2C3E4A7B160D397B4ED3EE8E725C,SHA256=632D1AAA2F7C039A830853643612106DC46674B9DC2A99B529FE3587A1290EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075519Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.661{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0E6573F9A7CA60184AE2C44BB761C45,SHA256=727ECB1409012CAA90423F8A69669A99C97BDA875150696F92165FF1927A8CDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075518Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.458{89999F75-375D-60BA-D40D-00000000C401}4532716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075517Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-375D-60BA-D40D-00000000C401}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075516Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075515Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075514Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075513Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075512Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075511Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075510Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075509Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075508Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075507Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-375D-60BA-D40D-00000000C401}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075506Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.161{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-375D-60BA-D40D-00000000C401}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075505Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:25.162{89999F75-375D-60BA-D40D-00000000C401}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077665Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:26.782{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077664Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:26.782{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D9FF1BD66E4FA1F806AF413E7670C5,SHA256=408141A66E13C29E69FB63BF39E406E390B3B1E6CA3B6DDB32325BEF3143F215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075521Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:26.739{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A7770227E6E1F3BD2B51472786A0D,SHA256=A87E9A5F744E596F93AD27198CB7D7B464E5B91EE42762195260488327078AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077663Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:22.807{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53541-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075524Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:27.755{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19AFF576F42587F36430B5780524C8B,SHA256=E6677D242EBEABAFA99EAE5F93836B30D52C918F330E497F7DA0C957295E9FE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077667Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:27.797{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077666Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:27.797{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9941DC84DF077C58A55C84F7AE0CE,SHA256=5866DE3DDFE610CDFBAFA0CBF23DD08214B93BE09E0F198B7914B35F3FF285DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075523Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.419{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50619-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000075522Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:24.419{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50619-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 23542300x800000000000000075525Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:28.770{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524CD08C4331C2B14C5B03873832CD92,SHA256=CA3F268C0CB405522F4931A643ED3F72273A6ECA0A901F82AB25F4A2299CEC58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077671Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:28.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077670Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:28.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9F1BA443E6B03250E263C98D58D593,SHA256=B4D228633988AB5B9F9373821528CC3E2881E5D13CD5AE5904E6C3D125D77C58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077669Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:28.375{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-06-04 09:21:24.810 23542300x800000000000000077668Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:28.375{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E6A286C18D240AAB6B438855ECE4FD1,SHA256=4EC32DD7E04AB81DD75168A01358AD990D8211E1FF1947DD6385EF2798845E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075526Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:29.833{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285A913BF8FCF8F43C51D8A47AA44ACA,SHA256=3DB0BC3F8C8481BD042D504EE188A1D11BC913F6BC7908677ED9867E4671E320,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077676Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:29.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077675Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:29.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A252EFF848CD8577F47F98A729E976DF,SHA256=9F0FC446D6DF73908AF419A02E6EAFFA45961530A91BEB8467470A3E92EA4711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077674Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:29.220{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077673Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:29.220{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077672Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:29.220{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077678Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:30.814{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077677Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:30.814{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67D1903D8423EDED62119FACACE0FB2,SHA256=2BD2C5CAB9B6631F49E341CF0A130DE96156BF8AA80002143C883D18BBE500A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075527Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:30.848{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448B0E5E5705FAFCB56366B3E4D0FCA7,SHA256=BE6EE9551B37E04FF3520C63DFA6AF5537B25475DBB45592156AC88D7F8CD89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075528Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:31.864{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9B7BE73587ACFED6809B295C6D868,SHA256=4B32718FD362E0735EE275F78F55568A43244741D89BB70578EE4E83C7753A91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077681Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:31.830{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077680Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:31.830{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61D21C7C0AB60670BC5E60A3604F3E8,SHA256=785C0ED348E3BC1EE62E7FD5BEF10253561646BE397C69E37B1E5CCFB98D648F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077679Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:28.824{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53542-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075530Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:32.880{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18B0C21B05AFA4393819574CD58A68D,SHA256=C89C0C87651535F2B8FCDE56F414DFB90710D2AE46F791587C228D34C349DD5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077686Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:32.845{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077685Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:32.845{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B6F056543D3413EC26ABC9728BDC63,SHA256=89325F2E7FBB250796358F38951A0E9411CF43119A8B7B792FF2D0CE84C173EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075529Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:28.356{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077684Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:32.798{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat2021-06-04 08:43:19.954 23542300x800000000000000077683Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:32.798{3F3E08E7-FC3E-60B9-3405-00000000C501}952WIN-HOST-243\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077682Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:32.798{3F3E08E7-064C-60BA-2907-00000000C501}5224C:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Roaming\Microsoft\MMC\services2021-06-04 14:23:32.798 23542300x800000000000000075531Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:33.942{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD67BCBC85731E941AB4864BAE13190,SHA256=DD5DFAD78AE49EEF8463972E119901F4C7A98A540836D47548883299B7767C38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077696Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077695Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ADD0BE2FC296CCDF49C83C56210B5B,SHA256=3FA80386A2109E3BF642E1AC0DD825607BC1E50FC3EB2EA4E27F660B350F6CED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077694Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3765-60BA-040D-00000000C501}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077693Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077692Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077691Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077690Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077689Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3765-60BA-040D-00000000C501}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077688Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3765-60BA-040D-00000000C501}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077687Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.502{3F3E08E7-3765-60BA-040D-00000000C501}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075532Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:34.989{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8CC0280AC965A067E840A61BBA4F39,SHA256=20D4A4BD2A23CBD51EEC8F86FD3C4923395D2C10CED4575421D926B30E6696C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077719Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.970{3F3E08E7-3766-60BA-060D-00000000C501}35563416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077718Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.892{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077717Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.892{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEE552BBD7490A922FEEF00CC0C7381,SHA256=7EDF4F5EEBF0D0D190C4FE0641EA5936E24BCE283BB0E969043FFDDAD6341686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077716Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3766-60BA-060D-00000000C501}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077715Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077714Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077713Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077712Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077711Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3766-60BA-060D-00000000C501}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077710Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.845{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3766-60BA-060D-00000000C501}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077709Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.846{3F3E08E7-3766-60BA-060D-00000000C501}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077708Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077707Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B0C4AFFE69CC580D9ADF9D2894E445F,SHA256=B74D1D5C53A59138D12BA500F025E6CAB4384DB1A29F4D681EDD0785F648E8D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077706Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077705Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A25E2952D9973B9CB08FD315C34A8277,SHA256=5169CAE3319BE526D3E2BA7DF0F7B3FCE46CC6B1A0A8495714E65305248DADAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077704Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3766-60BA-050D-00000000C501}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077703Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077702Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077701Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077700Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077699Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3766-60BA-050D-00000000C501}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077698Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3766-60BA-050D-00000000C501}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077697Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:34.174{3F3E08E7-3766-60BA-050D-00000000C501}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077723Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:35.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077722Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:35.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C62B165E81A42FF4FDFA4DBEC216EBA,SHA256=6C6346AA29C886A25436229C1BDF6D71CCBFC950454348CDD947C1F99129AFB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077721Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:35.861{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077720Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:35.861{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B0C4AFFE69CC580D9ADF9D2894E445F,SHA256=B74D1D5C53A59138D12BA500F025E6CAB4384DB1A29F4D681EDD0785F648E8D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077733Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.470{3F3E08E7-3768-60BA-070D-00000000C501}61125544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077732Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3768-60BA-070D-00000000C501}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077731Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077730Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077729Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077728Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077727Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3768-60BA-070D-00000000C501}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077726Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.345{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3768-60BA-070D-00000000C501}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077725Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:36.346{3F3E08E7-3768-60BA-070D-00000000C501}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000077724Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:33.840{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53543-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075533Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:36.005{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F5336FE85AE97BF1A19B39A142C2A7,SHA256=EE830BC89ED4AEC03EA366088058E67B8220A82A6269B94CC8EF82CCDE3C4251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077754Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3769-60BA-090D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077753Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077752Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077751Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077750Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077749Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3769-60BA-090D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077748Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.689{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3769-60BA-090D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077747Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.690{3F3E08E7-3769-60BA-090D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077746Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.361{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077745Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.361{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFDE97A5951732C7B46BA0C1825E689E,SHA256=39485C39CEFB680E0C7B755FCFCB966435D506B1345A8F7921161DA2246E6B0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077744Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.142{3F3E08E7-3769-60BA-080D-00000000C501}43565876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077743Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077742Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C648B36FE90ADBA79C9113681A270C,SHA256=90C69A0FFED527CC954AB90A201D1488FB8D5B0AC7E1F7576AFEE0F3000A88CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075535Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:34.387{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075534Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:37.051{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FA00A436A1452631C7F4866BE1F41B,SHA256=9D0FF7DF9DCB22007FE00EC3FD1DF0D09440B62BEB2498FBFDFC9BB5DD8EEF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077741Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3769-60BA-080D-00000000C501}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077740Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077739Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077738Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077737Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077736Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3769-60BA-080D-00000000C501}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077735Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.017{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3769-60BA-080D-00000000C501}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077734Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:37.018{3F3E08E7-3769-60BA-080D-00000000C501}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075536Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:38.114{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA5981817B12FEF05FC87D3387B71B5,SHA256=12B4F311A40148F6B930E1976B7601CE0670F421DE79EC1BC166AC6E6F98472E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077767Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077766Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DABA761A0ECBD0BABD98D51C927C62D,SHA256=5B4CF5183CE0D6761F97AE1D4BCBD3DC70DA551BD1C7570E00008CD994A349B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077765Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.486{3F3E08E7-376A-60BA-0A0D-00000000C501}3588156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077764Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-376A-60BA-0A0D-00000000C501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077763Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077762Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077761Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077760Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077759Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-376A-60BA-0A0D-00000000C501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077758Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.361{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-376A-60BA-0A0D-00000000C501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077757Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.362{3F3E08E7-376A-60BA-0A0D-00000000C501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077756Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077755Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:38.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECE6A78D791FD02A24B7AF5396AF23,SHA256=A345EEA58D8EF350C888F0FD5C17DD9204529EE46DD8010C347405C2264CE84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075537Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:39.145{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60002A2C870AA47DF6261139236CD21F,SHA256=C1809A459DCECADCBCC5F184C8BDA6F958EDB161C46F7A3DF62B3B9BB49DDE9F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000077779Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000077778Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0114c044) 13241300x800000000000000077777Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75944-0xd4706b6e) 13241300x800000000000000077776Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7594d-0x3634d36e) 13241300x800000000000000077775Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75955-0x97f93b6e) 13241300x800000000000000077774Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000077773Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0114c044) 13241300x800000000000000077772Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75944-0xd4706b6e) 13241300x800000000000000077771Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7594d-0x3634d36e) 13241300x800000000000000077770Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:23:39.614{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75955-0x97f93b6e) 11241100x800000000000000077769Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:39.049{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077768Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:39.049{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335A25E2BDE4EEF3E845F7F47588BC9,SHA256=610F311155E87D5C794709CD12986F92DA74188C7C44AC14F4A1D793B517E412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075538Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:40.180{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12EF7E95ECC5BD4F0807E85F2D3E224,SHA256=513485272E23D1665A11B59EC78A33CD7C5D3E7DEF8080825EF7BABCB21E68BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077784Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:40.926{3F3E08E7-FC3E-60B9-3405-00000000C501}952WIN-HOST-243\AdministratorC:\Windows\Explorer.EXEC:\Temp\test\terraform_1952209274.cmdMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077783Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:40.926{3F3E08E7-FC3E-60B9-3405-00000000C501}952WIN-HOST-243\AdministratorC:\Windows\Explorer.EXEC:\Temp\test\revil_001C0000_9a.7z.2wcqrp67MD5=8BF79B303CB65F88B31E078D2FE48F2F,SHA256=16CD335FA55866C8BAE58E0F18713493475BA8C926153107DA2AAF714648F65B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077782Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:40.426{3F3E08E7-FC3D-60B9-2F05-00000000C501}37522884C:\Windows\system32\taskhostw.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077781Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:40.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077780Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:40.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BFF0B26A54AA47E30DFC314AFF9288,SHA256=0A88C04DC05EFBC5267E7B04B395E440F78ABF39CA94B0E36B47CA6ABEF3D6C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077787Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:39.858{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53544-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077786Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:41.379{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077785Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:41.379{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47919128F785BDB92B17A75BA8F8D2AF,SHA256=4E324CCC936C21A2016181E77FE2075E99FC8EA365B3C067AFCD98DAB85E9FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075539Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:41.211{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD26260D3E177E3C134BA944CAE13E7D,SHA256=3CA3D45CE7B81ACB0A5DD933E79C638A62EB2B2BA8AD5F5B35C5542D9176A5E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077790Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:42.723{3F3E08E7-FC3D-60B9-2F05-00000000C501}37522884C:\Windows\system32\taskhostw.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077789Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:42.426{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077788Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:42.426{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FC94915EA33BF3DCC4C8201A3765F4,SHA256=22832D2EC90EC1F12B6DB75A2C3F5EFB2ABCE00BECC645A2EC5DF76F3B604EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075541Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:39.422{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075540Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:42.274{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2BEF4D5D4E50471A9F7A8753067A9A,SHA256=6BD6A1F301BBA38F357DC3FEDF567908F41BD5F53F9D0C0D9768AA68108CFFAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077793Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:43.614{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077792Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:43.614{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46603E8475CD5F1EFA3D007E0D29C67C,SHA256=F2E347F10B9BA78D9AA4F55792E63F8B42D67319648C6D8676DC70388D410AD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075543Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:40.342{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse104.248.36.610.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0155663-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000075542Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:43.305{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9233B38FC89EE2135A132F716B38E8,SHA256=25A180B30AB57BEB3CBE80AC042DE89BFD7AE4AC7EB71521CD47FEA4FF7861A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077791Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:43.129{3F3E08E7-FC3E-60B9-3405-00000000C501}952WIN-HOST-243\AdministratorC:\Windows\Explorer.EXEC:\Temp\test\2wcqrp67.htmlMD5=7783435AA9802F6E740EA0F45ADFAA81,SHA256=72CADA5B401CBCC8CED1DCA313F4F9143EFCC71E539DBC5917E5B9F3CACB8528,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077795Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:44.629{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077794Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:44.629{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C841E6F18A64822FA329AD4D4F8D542A,SHA256=DF1E7BC037E31F8FECB01DB69E757482AFFA87EE19EC6F307CDF613511C4375F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075544Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:44.321{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A382A417F0401D8EDBA056A81E2FE5,SHA256=6F1631F2193E513205D9F76EA8FA43CB9DCFC491DD3D51BEF1A18CEF9FC0AC7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077797Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:45.661{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077796Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:45.661{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105194D142067F66F299C48742262903,SHA256=58AB5ABCDBB1C9853900530F2B124DDB9A7D1ED6071C36D31028AC14601FA455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075547Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:45.323{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04037774BE67E51265DD3E60D9340668,SHA256=A2B84BC7352BCE6A108A20988B4718F3DDA18F9CB4EB9A889F201BB9A68B20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075546Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:45.180{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FC5E6FA7533CB77EC12C742107E42A,SHA256=D1BCC58B2B877538AE02D99996807258BF8582DD0FAC2D76846B7696152E63A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075545Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:45.180{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A3162251234E88DF5CCFB5B270310EB,SHA256=73B8EF9F3E4C0AF7B1FCBF8814A3EB2F297D81C24D719FDE985C64A511DC0C14,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077799Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:46.801{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077798Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:46.801{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD148AC2487A79DF0A7068DECAF51327,SHA256=22CD011C30FDA6447F770F9BEF22AF9BC7F45AFD109F013A583E22A40D533B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075548Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:46.368{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC98E6E6C556C5B0BF696A86A3D7E59,SHA256=E07B8DB2D94113D4FEAEBDA8D0D668D61C560D7B068326F649A7E65FA01EE778,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077802Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:47.817{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077801Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:47.817{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9351CDFB0EEC990D220FD19A9D36A8C7,SHA256=1B658B390E6CFB74DB2B77B6090B0AD87079992A49EEAF6162284248ED2C326E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075550Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:45.219{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075549Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:47.586{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9416590A715EA22A0C4D88A28A368EB5,SHA256=47A5CF1FEAE91C4B8842CFA2D4E4B3B3DD7516A9E9A9A8DDEED797F5CF208AE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077800Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:44.967{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077805Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:48.832{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077804Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:48.832{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34CE118409DC36B6423C7A5A287325B,SHA256=1D90AC656936C75B2ED432B487F31B4F9EF2DA794B517D9379A8E805587AB6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075551Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:48.696{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B8C4968A080B3DC9048F11CA01D653,SHA256=63B7FBAE5EDD8C467DFCE89402B0A8FBC12BD9B43C1739077F91F68DC65B7493,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077803Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:48.317{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXEC:\Temp\test\terraform_1952209274.cmd2021-06-04 10:58:43.801 23542300x800000000000000075552Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:49.727{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF50D09888716D9570D4E3919797205,SHA256=2E60E743009CAC24686ED143581F8C716BC497ED31853A2EBC080E849F2A846B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075553Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:50.743{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916DE1AE1966CC12C5B146FE39C0E81F,SHA256=540C662239E755571B0622DDEFCB83BF5B16FCBEC5E8DEAC0A3DB4F7A86322A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077809Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.379{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000077808Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.379{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077807Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.020{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077806Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.020{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E73D0B26B7BE35665DD8DAA3D9CB3B,SHA256=5A06860074F6C957ABD353D6223C12DAA2A15E6593D3D41D6A75A63EE413202D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075555Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:51.758{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35C90006694B395FF9AEE8B85590609,SHA256=007287ACEC51FE2370796033F812B9ECB1731D20FAC9A12A07B67F21BE57DD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077812Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.123{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000077811Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:51.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077810Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:51.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912BEA93C022A8488C715AA1089F9740,SHA256=2673EBAEBECC9A468A8BFC9CCADBA93AA4E8E35680F4CF80F06D28F58BD550BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075554Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:51.540{89999F75-EECE-60B9-0B00-00000000C401}6241952C:\Windows\system32\lsass.exe{89999F75-EECB-60B9-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000075558Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:52.774{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6E69A210183517634E45361B5E51AB,SHA256=ED119EF8DD5035E3803B79B2C149B68C492DD9EC941FF636DBD9C5F401F16746,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077815Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:50.982{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077814Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:52.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077813Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:52.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F712265D8CE656911DA14E3FF281EAA,SHA256=14B1CA18FE6EEFD1CFA49B0175B27121003019549DE96F0E404607ECFAA4248A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075557Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:52.618{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10FBFE626FADB129ABD586867B3C3BD7,SHA256=189157851A4BB21C33C751ECD1BFADF32A3B8B2B172550BD70627B0A3524027A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075556Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:52.618{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FC5E6FA7533CB77EC12C742107E42A,SHA256=D1BCC58B2B877538AE02D99996807258BF8582DD0FAC2D76846B7696152E63A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075564Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:53.821{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119F02FE883D70557A9C724B9058372B,SHA256=54DC653B69D993382FD8F0FB1B24223D469556D625595C1A5695CC677B1E78ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077817Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:53.098{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077816Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:53.098{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F684D8B817656962646A8E2179F302C,SHA256=3BB9117C704347A41110357788DB73F3AE2BF4638DA6E3EB695116A7FE6FF227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075563Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:53.133{89999F75-EED0-60B9-1600-00000000C401}12524616C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075562Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:53.133{89999F75-EED0-60B9-1600-00000000C401}12524616C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075561Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:50.720{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50625-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000075560Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:50.720{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50625-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000075559Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:50.250{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075565Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:54.868{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC9A0B2EEBD5F9B964545DC57DF6F67,SHA256=5EB7AB93F104A48004D4CD94C72AAA468132DA2E2CFA105F5FE14EE3CCBD69A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077819Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:54.145{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077818Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:54.145{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE83EA8C715B35066DA2BFBA238ADE2C,SHA256=92F3882076DE6A096C1A1B21FE59E15D61FB45B639B8692A08E6ED86E80F1456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075567Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:55.899{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9BCEB43B3AC692F24C4ED4702A47A,SHA256=074CA99ECA44D58FAE96FDFFDAF1BCD54BF9C82E564EB0E8325938CA4C663640,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077821Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:55.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077820Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:55.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8686384069E69C22551B2275CA59710C,SHA256=63AAD7DA4903850D8BAC47B5D927C5C2FD3A0F7C9718B995E0CEA8694EBC37D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075566Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:55.477{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A15B7C7CCE4AF0A8D4D3A4F3096913D3,SHA256=C2CFC8F27FD1E63233A8393B22DAC4FD9B6EC806064050B305E46A7C58EE78C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075568Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:56.915{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA013B3501A6EBCEC21814971FB140C,SHA256=690D4C7B4098610E682DB4B8AB731232815325CF826F5E5F9E295FB78B866E18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077823Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:56.192{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077822Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:56.192{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A030E020EB1CB91315436E4BF5E01D,SHA256=EE770335F5763CF9449B0643DFBE30B7F62B8C731BC483FDD07E8706D00C648B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077825Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:57.223{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077824Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:57.223{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376FB1597920FF95F9795705E8C2C76A,SHA256=3E951EBE1D995F66B08EA52D6AB5DDD18BA51B93C239A1E50EDC677D61438176,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077858Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:56.764{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077857Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.582{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077856Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.582{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907E875C84722266CA5707FB8E39672B,SHA256=D632C96802057A72F35A3E248A4E5A84D7F897FEFACE9596A29E9723F0F484A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075569Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:58.133{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2367C77BF512F34C90328401B237198C,SHA256=23ED2587A4A8D1DEF7254C5E71AE1F1F2E879B9701207234B57D494A2056B909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077855Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077854Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077853Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077852Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077851Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077850Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077849Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077848Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077847Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077846Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077845Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077844Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077843Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077842Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077841Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077840Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077839Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077838Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077837Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077836Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077835Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077834Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077833Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077832Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077831Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077830Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077829Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077828Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077827Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077826Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:58.036{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077860Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:59.821{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077859Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:23:59.821{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DEB1D9ED0136663547E61AFCAB4476,SHA256=41A6240C1F7278780124EB60079CD4F415BE15E66F105CC165D74AE1D6D2D275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075571Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:59.149{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BC437EEF872B74B76F541895D8879A,SHA256=B09974ABB451FB27592E2B1203EFF05D481F52387BCBA9C8D174B6B7057527F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075570Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:23:56.297{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077862Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:00.853{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077861Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:00.853{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1D10755312BE6038ED80B08423E966,SHA256=F0E0B1D28CF657BDBD64EF35D540890E5243037864802D37F617825F87F0FA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075572Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:00.154{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A5FFBB01CEED7A58314FF96AE104CB,SHA256=260A6499359867933BCD551F5C61A849D9CB1D9EFEE0DF7595CB065390887F78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077864Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:01.884{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077863Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:01.884{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBD40FBB9D1BCF21B4D5539AD72A1ED,SHA256=E2CCCEA7998B68EC8A2C5B3E99E0BA0D6D4A32CB1F9C5918803473A3FF590AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075573Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:01.169{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71065766D5D8C64F61C28A53D7BDF3D,SHA256=4722962CE68BF3258A4079E9993ED729BC498038382D8F30962ED0F154C43B0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077866Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:02.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077865Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:02.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1857FA7E09A0D0C3A1EF2C9546E6815,SHA256=F2B94067C384FB701D68B139A1430A0D6D20CDBBCD957C8114C7386026E35E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075574Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:02.185{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0309103A0280F68BE1C1D024C10689,SHA256=2A66C8953D015248CEFE1184E3A3B527232F1CF6A8DA5B5A8BDE2303A9E269C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077868Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:03.978{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077867Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:03.978{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06420F4BF9424CCE4679D60E6BF8A082,SHA256=BD3D8116CA7C00E7D5D30816223C877E0E6D16026646D8FAFE8571BB8D272777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075577Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:03.325{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05E31E910C6F6557FD0E2E14577FDB14,SHA256=F241420D4B3F7C6D47AF6149C3ACA69C9A37A0B6AF120126918A126953AEE78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075576Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:03.325{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10FBFE626FADB129ABD586867B3C3BD7,SHA256=189157851A4BB21C33C751ECD1BFADF32A3B8B2B172550BD70627B0A3524027A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075575Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:03.200{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B7471B76D5A98E161EBB349ECDEB4B,SHA256=F0929D93C06420849A67A58A77FA757A4B07AFF02E77F9FD0EA818FBEBCA5ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075579Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:01.301{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075578Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:04.216{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055F975CE1125A79C4E0D8BA30A50C05,SHA256=FBF94B9E6EDB72D83B09CE118D7F5637C0104435E93AF2E07F82F3B5A988ABB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077871Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:01.987{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53549-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077870Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:05.025{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077869Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:05.025{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0584530E9C23B6ACC5B4A1C05C21D0,SHA256=CB7154CC8CF40C5746D8EE237EE17013CE7769BAEA98C5C279A7192734EE4E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075580Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:05.232{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4350E7BD283110F7C43D366B80C0A04A,SHA256=A59679383AAFD253FC6B3BA1FCDCB9ED5922EB599193BC69CBBB50BBF5CFB6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075581Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:06.247{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC902E05AE5B73F0D164B5C65DE61664,SHA256=DD9FE8B50702243AC13F003FE283AFE34AFD51E0B0250978BB5392C9E46E0E7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077873Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:06.040{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077872Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:06.040{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA62A53AF973DC275D526BE7D53154C,SHA256=AA3A2094E6097E3C3D6CDC41DEEC07F8E5AEF07926AE0A6A5486230AD6EC4B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075582Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:07.263{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166CBF21F0F9B15F2E3668D93720A834,SHA256=1576DD9A58EDDCEFE3CAD22E84AB7EB981C495D2F02BFE79D1AE48F31377E1DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077875Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:07.056{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077874Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:07.056{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFCE7E1F86CEF52AE456936FC992792,SHA256=22CFD69E59E61D2C62084A16A3159A8A6213F4CBA54F2D8E0363E77021F1E66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075583Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:08.279{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C970B5AC703D5C1A36DAFF75EE79FF6E,SHA256=ADD43647D6C89C0CA6788FAFB17F0952137915E6A4D9A273E35108C395944F23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077877Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:08.056{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077876Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:08.056{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90B84CC403EF652A87191BFBB30FF54,SHA256=497C05FF940B5CE73407B96BBB58E0EA927AC9DE76AC26E63B20067BC243BE77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077879Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:09.087{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077878Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:09.087{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E6567DA2C32693EE38C6948744D068,SHA256=21C650985D110804C23FE5BABA5BF0E103AFB0CC95B0A231E55D1C5A7B0E01F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075585Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:09.294{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A40D699521A2496DC0F5F48F5173F27,SHA256=CCB0A0DFE955032800D61696D52AAF5F886E5057BA7233B882E9A6A136546186,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075584Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:06.333{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077882Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:10.103{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077881Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:10.103{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BA7F85DAB118CA08709F0F66F413AF,SHA256=CBB1B518C2282BEEE2356A64C5D8E29D2B11FAFB4F7E624DDA342B52AF1AC8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075586Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:10.310{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE70633E4468BC280709251223667745,SHA256=33F3364B7D6337BE3173E37F341BA16B2E9DA2BD20B2CCD0973BE4F6FC860272,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077880Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:07.971{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075587Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:11.325{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910D2AD81BB5BD077752152BA2411C03,SHA256=3228BB206BFABA35285BC809F58188718893D6A6C04775FCB8C0D133EE2E1EB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077886Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:11.212{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077885Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:11.212{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB27155CD8C2E20DA03E3B6ECD73298F,SHA256=55A687B7D0B1E4988084AF7FA307D6D7F4E9C23A1EBF2253F3B3200FDAB0D176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077884Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:11.118{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXEC:\Temp\test\license-eula.rtf2021-06-04 14:24:11.118 11241100x800000000000000077883Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:11.118{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXEC:\Temp\test\openssl.cnf2021-06-04 14:24:11.118 23542300x800000000000000075588Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:12.327{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272BF71E23B74D18FF83B215ACB89048,SHA256=C84137F416B91E041211F13DE71A785AF0632A6EE93BFA847BF7CFFF21867B61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077888Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:12.243{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077887Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:12.243{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620C73AB33EB8295A930846AD6484B88,SHA256=3BB97137A80AF8E5782C18A7A20586CC341767B497D76520EBE40720E1B7BD49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077890Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:13.275{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077889Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:13.275{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A555D2E6566285CE6CD91668C8B5A9CA,SHA256=0B9D2B1030F67D3F3203A83FD99C16D89646C7FA974CF636A0D60D8FA1014F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075589Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:13.327{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93367A8EFFE22D0E4D655FEAD1D6A390,SHA256=40F4B7D55DCD657AA0F7FEE4CD52EC95C1D40507C959368438E57C9F91092848,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077892Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:14.290{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077891Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:14.290{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2162E5F79498FDFA06FE2D2AB2AA4A1,SHA256=5030F11110596AD108510185A9F214D865D2082535B3EE5FD77471837B6878AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075592Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:12.365{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075591Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:14.343{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BE6B59A9320B4D2B08F23CA2727101,SHA256=C2A2FA8805ED6B51D1CA892126D9D2BA84FA96963C867241D1A24C96C3CCF4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075590Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:14.264{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075593Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:15.358{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7C3AAF4E2C4BB479AC0A6C609B47C1,SHA256=21BE2F3435712898D2198F92BD9440D83A6E23DD5AEC02B0C31DBBA6DAA7C6BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077894Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:15.306{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077893Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:15.306{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81A1AFDAC334DCD1CC228AB784B7A0E,SHA256=FE4C5C0A4B9716B906C077A80C7FBE2F388FCA37BD90C59A269B165C6DC53328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075595Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:13.428{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000075594Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:16.374{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B10FB4B234F8B3E82BF5185A90BF0F,SHA256=9974764F9446FC6680AA075D9056FEB3A99A7FAC8AAB0F2B97A6F118D3DB28CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077897Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:16.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077896Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:16.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8AD7DF367EAA3B49A22A758FCBF9E4,SHA256=F4D6D0AD77352778B9B6B2433D3E89D783FD9E8CA64388EB015B50905F342ACB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077895Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:13.799{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077899Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:17.337{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077898Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:17.337{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9243F375209B903C062D5DA159FB0731,SHA256=7D535F15B4AB529ED5E756D62FBBAEDED0700DB3BF7B94C646E5008FDABC37D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075596Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:17.374{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C216F1E5BA945C1B865A4BBB8566BE2,SHA256=3604F0F5808073916CD9887ED5A99888B59E39508EB9A17C9FEC176828AAE337,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077901Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:18.337{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077900Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:18.337{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2545ECC041DFEA97D4A4B2AD290FEFD9,SHA256=C64E18590EDE913B8DB3323F9F186764125194410BD74134ABC520669D9AAD94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075597Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:18.389{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ADD37BB6A38342545D869B19BC794A,SHA256=97A953475B3B7DE7C8C88960C8669617600F921669940382F16EAB69DC0DF30E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075611Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3793-60BA-D50D-00000000C401}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075610Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075609Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075608Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075607Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075606Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075605Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075604Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075603Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075602Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075601Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3793-60BA-D50D-00000000C401}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075600Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.781{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3793-60BA-D50D-00000000C401}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075599Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.782{89999F75-3793-60BA-D50D-00000000C401}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075598Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:19.405{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4BDB231480D4827DAEFBAAC2CFE525,SHA256=468AA3E95D4D5E9A1979A8E612BBCDAB2A41DF63FAF4E8018DEA0E5932902928,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077903Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:19.353{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077902Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:19.353{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB8A1246D7076F00B4319F374EABFDD,SHA256=903FE49B5CA710983A037702617A98A4465B4291F17825507C227E84E61B9441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075642Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.797{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C40C9CCB896D338597D7C64E09E8185D,SHA256=B279B1E23EACE69789C33DD0F8CD55D9CBE6FF6B19D8AD3B3568FA6D0C6CD84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075641Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.797{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05E31E910C6F6557FD0E2E14577FDB14,SHA256=F241420D4B3F7C6D47AF6149C3ACA69C9A37A0B6AF120126918A126953AEE78A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075640Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3794-60BA-D70D-00000000C401}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075639Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075638Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075637Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075636Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075635Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075634Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075633Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075632Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075631Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075630Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3794-60BA-D70D-00000000C401}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075629Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.781{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3794-60BA-D70D-00000000C401}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075628Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.782{89999F75-3794-60BA-D70D-00000000C401}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075627Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.688{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A8283F5F226CA109F13107DBD5D60C,SHA256=1B422E86F6EC8EC9F709FF5C43DF28355202E8A929938821FC10FA04B39324D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075626Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.610{89999F75-3794-60BA-D60D-00000000C401}27004912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075625Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:17.381{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077905Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:20.356{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077904Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:20.356{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B682A23699D547A0AEF7C512316FC7,SHA256=CDD39393495D74BA013F6D4AB57A2DEEA50D04E83D8B873D9843A590DE4E5960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075624Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3794-60BA-D60D-00000000C401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075623Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075622Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075621Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075620Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075619Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075618Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075617Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075616Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075615Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075614Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3794-60BA-D60D-00000000C401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075613Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.281{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3794-60BA-D60D-00000000C401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075612Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:20.282{89999F75-3794-60BA-D60D-00000000C401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075657Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.987{89999F75-3795-60BA-D80D-00000000C401}36122816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075656Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3795-60BA-D80D-00000000C401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075655Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075654Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075653Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075652Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075651Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075650Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075649Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075648Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075647Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075646Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-3795-60BA-D80D-00000000C401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075645Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.799{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3795-60BA-D80D-00000000C401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075644Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.800{89999F75-3795-60BA-D80D-00000000C401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075643Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:21.547{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5BB0CB71EA9FD5D82B7F18D0E87E31,SHA256=991C4F379058BDF702110AC0E57414CDE03B0B0FCF9108376900886829FA31BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077908Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:18.815{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53552-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077907Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:21.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077906Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:21.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF482FF906E3A994E98FEAC9DED2563,SHA256=08EF9DE76C7C402F28641FEBB3C285681456FFBEEAADF75310A62734D0FA88BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075671Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.706{89999F75-3796-60BA-D90D-00000000C401}47561568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077910Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:22.418{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077909Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:22.418{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7DA96E32EC9D76496237A1D25159C4,SHA256=6DA0639091A3C7250A14FF44ECD1DF547AF28624EFDD7BA24269C9CD67AAA578,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075670Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3796-60BA-D90D-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075669Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075668Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075667Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075666Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075665Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075664Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075663Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075662Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3796-60BA-D90D-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075661Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075660Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075659Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.471{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3796-60BA-D90D-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075658Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:22.472{89999F75-3796-60BA-D90D-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075674Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:23.865{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C8A75C9978B30856209271D83D8BA,SHA256=49154D5CD873AB5085F943786BE4023BD5D03AABB7E307B2E16587E802E6303F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077912Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:23.481{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077911Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:23.481{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB20B1E27980799878297B2DC8ED332,SHA256=617CC4789EE624797869F34EDFF5557FC9285AD01D96BF6DFDA4589B54AE0CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075673Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:23.068{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06FF006B3B4014C50C10F3056FF21DE,SHA256=545C67327B18EDE4BF87C5AF6D72C3EAD774635B4490FCEE101D692869C97D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075672Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:23.068{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C40C9CCB896D338597D7C64E09E8185D,SHA256=B279B1E23EACE69789C33DD0F8CD55D9CBE6FF6B19D8AD3B3568FA6D0C6CD84D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077914Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:24.715{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077913Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:24.715{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C19900BFB1F0346B698805031711D6,SHA256=353A1A08EBFD66520C75F29458E4666CEA0D37B94D281BF4C99C3532F3838044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075691Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.880{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88DD51F1E880490835A79F97FC2E1E6,SHA256=F43C0504F545BFEA76EB6013B79710F001395E0A070AC06F7D99E09044EAE500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075690Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3798-60BA-DA0D-00000000C401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075689Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075688Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075687Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075686Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075685Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075684Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075683Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075682Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075681Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075680Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3798-60BA-DA0D-00000000C401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075679Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.661{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3798-60BA-DA0D-00000000C401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075678Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.662{89999F75-3798-60BA-DA0D-00000000C401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075677Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.552{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075676Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.552{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075675Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.552{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077916Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:25.949{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077915Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:25.949{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A32F29154F8274BEE04B4431B2A9F0D,SHA256=9FB97E4FA3CA1CE2C5D82FA12019C0644A281B7562B5D7CDF44559C4CE0E374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075708Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.927{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E626C4FA96ACBDE3BAB0A8453F94653,SHA256=09671681324350E1DB4555A94E44706F5A62F5BA6156E3DA9D08E1ED23FF4EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075707Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.677{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=404949702A0D1684EDC9FA11021C8CE6,SHA256=A96A4830A0C99C01374041D9A3A1AEE0A59E1E973CF89B0E9A0F71C657B117F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075706Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.521{89999F75-3799-60BA-DB0D-00000000C401}6323068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075705Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:23.356{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000075704Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3799-60BA-DB0D-00000000C401}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075703Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075702Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075701Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075700Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075699Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075698Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075697Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075696Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075695Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075694Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3799-60BA-DB0D-00000000C401}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075693Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.333{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3799-60BA-DB0D-00000000C401}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075692Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:25.334{89999F75-3799-60BA-DB0D-00000000C401}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075711Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:26.958{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98C6ABD09EBC2614DAC4E72D1B724C8,SHA256=27E2727960576FB032FBDCCD2993C8341E59E8F50AFC07DFCE3C3B4CBCF139FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077917Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:24.005{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000075710Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.434{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50633-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000075709Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:24.434{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50633-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 11241100x800000000000000077919Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:27.106{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077918Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:27.106{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58A2D590738873DF938A2479EFB59E1,SHA256=6A44032483D21008585ED8ECB6BCAA2ABC2BA1263D2715D246D5CF40127B936D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077923Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:28.387{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-06-04 09:22:24.815 23542300x800000000000000077922Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:28.387{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8744B3A9E93A715A3048C886323EEA55,SHA256=C2EFCCC9952EB858E85B9A00AFBB9348FE39CB04104D8F108EC1DEAC0FB72F4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077921Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:28.121{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077920Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:28.121{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F18F99E7826ACE84935381B229119A,SHA256=039065623333AFB4383614EEEA86B691FEDC5EF5613D74338B5D60D560243099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075712Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:28.193{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C184B9DD24030F003E7F20B9ABFFBFA9,SHA256=114E8CD39520250AF159B392A101E54B5AD03B454B8B29D30A721D1DCC43CA30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077925Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:29.168{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077924Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:29.168{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207A459BBDD36707200DD37D5149C970,SHA256=E560ED236245CE066F421B2DDF66F2BAF5E9FC764386B65B03652EC74767B53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075713Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:29.208{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7456D8F4CAAEEB53D71BD03078A69FE4,SHA256=6415F94B7C0D4C157298944C119B2EEF84019C343D780A3DE3DA2CED0F04F890,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077927Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:30.185{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077926Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:30.185{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB02EEAE9CC3F8A54AC851DA901F511,SHA256=3590A8CFC402A831ABD86BF291BE912A911A3150352AD77A1F388B0EDA99B607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075730Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075729Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075728Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075727Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075726Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075725Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075724Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075723Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075722Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075721Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075720Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075719Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075718Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075717Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075716Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.958{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075715Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:28.371{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075714Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.224{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0306F209DE0F66D4C34F4291729694C8,SHA256=65D065788294017BA1DC20873DF8F3CE3FFB1440CA76EE84000ABA5ADD557CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075735Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:31.239{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CA99ACDF2B70F2C1D6D0EA578B00DF,SHA256=E8FBE0EE48EF4C8EDDC8C3040E2E3FD0A035E707C355245C779056727962D5F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077930Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:29.772{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077929Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:31.264{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077928Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:31.264{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91086D8126F938744EAF2B13E406A1A2,SHA256=FE7EB906C8BE23044CDC3E0CAC08B5F38FC99D96CB34021828B434523627BF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075734Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:31.068{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075733Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:31.068{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075732Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:31.068{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075731Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:31.068{89999F75-EECE-60B9-0B00-00000000C401}624712C:\Windows\system32\lsass.exe{89999F75-EECB-60B9-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x800000000000000077932Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:32.283{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077931Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:32.283{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F62AC1AD0B1E571E9880D55C4791456,SHA256=98B4811BE21E7E4D73E3429DD88F72A92B8E7BA722018700E3777F55A66C3EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075744Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.250{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50637-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000075743Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.250{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50637-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 23542300x800000000000000075742Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:32.271{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52728257084E9287424CF6A0F8B9EEAB,SHA256=FDB541FBD1645AAD512E7D40E20791B493AE3F3C36E0F6452C274FAB0321044D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075741Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.149{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-392.attackrange.local50636-false10.0.1.14win-dc-392.attackrange.local389ldap 354300x800000000000000075740Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.149{89999F75-EED0-60B9-1600-00000000C401}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50636-false10.0.1.14win-dc-392.attackrange.local389ldap 354300x800000000000000075739Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.141{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50635-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000075738Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:30.141{89999F75-EED0-60B9-1600-00000000C401}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50635-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 23542300x800000000000000075737Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:32.005{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971E1CFBDE82F294FC4834C06CF72787,SHA256=DCE28D343619BF128F484B51DFFB78E93E07E6001858C70E9DBFF781A5C65E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075736Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:32.005{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154D2937F8E5EF4C22CAC61E38C2DA82,SHA256=C3218BFF79C8B4E681131279CB3EF5C1AC9777379BCBCD4606FE1CF603D7B503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077942Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A1-60BA-0B0D-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077941Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077940Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077939Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077938Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077937Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-37A1-60BA-0B0D-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077936Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A1-60BA-0B0D-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077935Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.518{3F3E08E7-37A1-60BA-0B0D-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077934Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.330{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077933Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:33.330{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED7B361703AABC5938E3D3BDE38E67F,SHA256=848E8D42CDEE8C7374C1BF5DBB0FB39363ECC53FBA173FF72387C937E2D978C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075745Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:33.271{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F832EFB7B348981CEE60DEACA6AB00,SHA256=84D9834D1AA7CF65C6B39347BF8DC74C5680AE8539F4E0CE9A7F00449BD69970,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077965Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A2-60BA-0D0D-00000000C501}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077964Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077963Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077962Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077961Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077960Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37A2-60BA-0D0D-00000000C501}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077959Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.861{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A2-60BA-0D0D-00000000C501}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077958Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.862{3F3E08E7-37A2-60BA-0D0D-00000000C501}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077957Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077956Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEE81F36684C9B98AF0A65AD32FB23E,SHA256=ABA2138BEE1E2A503E0DC8640D41A4B893A615DCE8FE09A12A36E430CD455A46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077955Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077954Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C933F5B371DE860DB6C9BA54CE7FC575,SHA256=13A508C764D337A6DC87700E3E48373AD492567A878FB1DD1682D29EB87E2FA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077953Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.502{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077952Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.502{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0C98FEBEE0ECBD2C4D249A8DDBCD10,SHA256=C65CEC1BF5E40C119CEFBD7A2EA14936344DAD5DF5AD2FADCA8971AC0F5338C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075746Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:34.302{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB9B5F580BEF7A399947F55EE78EDB5,SHA256=D0EC635478D10D0C61651C35321ED8E332F1E12EBFA637FDB86E797B82CAC055,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077951Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.315{3F3E08E7-37A2-60BA-0C0D-00000000C501}24964284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077950Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A2-60BA-0C0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077949Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077948Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077947Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077946Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077945Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-37A2-60BA-0C0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077944Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.189{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A2-60BA-0C0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077943Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.190{3F3E08E7-37A2-60BA-0C0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077969Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:35.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077968Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:35.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEE81F36684C9B98AF0A65AD32FB23E,SHA256=ABA2138BEE1E2A503E0DC8640D41A4B893A615DCE8FE09A12A36E430CD455A46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077967Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:35.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077966Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:35.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3533CEEB84426B69CA8E23BF69F9E2,SHA256=884B96B3321422AC9EEE3520934E0DF5E3C83BE8C1C829FAC68DA0D17706225F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075747Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:35.349{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E932C06E5D0F8A0D134554974A184A,SHA256=C64B1E342CCA1CE059327D396132F5406465F4C1A32908DD914219EE11E9D903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077981Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:34.964{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077980Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077979Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AD38C2DE238BC195A015490433776C,SHA256=35D18A3EAB0FEC6561CF4F98936461F7FD90DD7FB7BC3B30483A054372428C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075748Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:36.396{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62665B493B3E46936FE4B42330442920,SHA256=6D4CB660E99C745074F043F5EF984D057217DF73FAB9876DA489E127D25CBEE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077978Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.486{3F3E08E7-37A4-60BA-0E0D-00000000C501}55324996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077977Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A4-60BA-0E0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077976Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077975Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077974Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077973Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077972Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37A4-60BA-0E0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077971Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.361{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A4-60BA-0E0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077970Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:36.362{3F3E08E7-37A4-60BA-0E0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078002Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.799{3F3E08E7-37A5-60BA-100D-00000000C501}4205888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078001Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A5-60BA-100D-00000000C501}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078000Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077999Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077998Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077997Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077996Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-37A5-60BA-100D-00000000C501}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077995Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.674{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A5-60BA-100D-00000000C501}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077994Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.675{3F3E08E7-37A5-60BA-100D-00000000C501}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077993Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.533{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000077992Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.533{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E02BFF9E6BE96F5E650DF1048B762E,SHA256=6C54408BD1F2C4AD1D455214CDD962788A2992EE0348E1841B7B3B641C12082F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075750Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:37.427{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DD5F06C88A3F7918CB61FD1DE27ED7,SHA256=D2A5B640681EF129EF5BFA55E72FC6225CE5C9DFCA99CE73FB1DD1C641E76AEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077991Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.377{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000077990Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.377{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBB8E4CBCCBAEF86FCCBD2761D223D05,SHA256=A8137524685AA7C66476F72EA8A6E143CBE2E02B4FC44A0DAAD34DDA2F03953C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077989Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A5-60BA-0F0D-00000000C501}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077988Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077987Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077986Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077985Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077984Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37A5-60BA-0F0D-00000000C501}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077983Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.033{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A5-60BA-0F0D-00000000C501}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077982Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:37.034{3F3E08E7-37A5-60BA-0F0D-00000000C501}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075749Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:34.418{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078015Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078014Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D6D83CB2B2501F0CE572C5B94C1258D,SHA256=C45C76C1B0E55A183E07942280D2CBA7D9FD71A22214481AE50B5A5AB22DEF7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078013Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078012Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3895E76FFF0B32DCB100513EF79C2DB6,SHA256=4BB55B3437BFF5E3753BD0690393883F7F719B46C6E2D5DF5F07A31D249C8901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075751Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:38.552{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28119DBE61D3611CC70DBCC061BDCAE,SHA256=3BA87696883BD428ECA1F6F13DF23285B9600E8ADAD725379193E79DE896B697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078011Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.471{3F3E08E7-37A6-60BA-110D-00000000C501}55605880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078010Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37A6-60BA-110D-00000000C501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078009Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078008Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078007Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078006Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078005Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-37A6-60BA-110D-00000000C501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078004Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37A6-60BA-110D-00000000C501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078003Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:38.346{3F3E08E7-37A6-60BA-110D-00000000C501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078017Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:39.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078016Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:39.564{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227A4A3F9FA895683464C54CE8EA361C,SHA256=CF7E61010F2F0F34EE4AE671DFB3165609123426427563F941E3C57824FA3531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075752Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:39.599{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A745B61FFCC91D58DE9613D838B1FBA,SHA256=6B309BC1892B8E2E8AF5DEB8ABA7825064F7000ECE5E7F2999292F7DB2055D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075753Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:40.646{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D491B8B5B704EFA450D123C13C5AB7AF,SHA256=CEF94C4F988636B1870C3DF92490C78C3EC43AEF9B1105514BEFE43F34D474D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078019Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:40.579{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078018Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:40.579{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974EC2276E141CEC4C80C371F202AB00,SHA256=926C31E2E231FF92489D7C44B3C740903F734519DCFB6F3B860BB26F7FABF8BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078021Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:41.595{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078020Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:41.595{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3208011B9214B615441E5EF7F1547FC5,SHA256=4BF524840EBD0EF90476DE4CF90113374F74B27B4A38AE34FCCD59752CCA87D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075754Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:41.661{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8CC59D15AD0C2DD7CE1D9B36A908FC,SHA256=3C692BCE8C2A00478AE4E04F4B20A99391291E11E30339142372AB8D195EBEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075757Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:42.833{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F7111BE4173B44B7F2778D3A4DE15B,SHA256=9A2219623362F2BACFCEBFBD80B51E845DD4126C7F62E9B26BC4F5E0C1686120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075756Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:42.833{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971E1CFBDE82F294FC4834C06CF72787,SHA256=DCE28D343619BF128F484B51DFFB78E93E07E6001858C70E9DBFF781A5C65E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078024Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:40.963{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53556-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078023Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:42.611{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000075755Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:42.677{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9886914404FFC2BE4A3A409F8FA52A2A,SHA256=CA30E90F32EAC609F0E4AF0F4CCEFAF6F6020CC0E72DC74164ED590CA8B4A430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078022Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:42.611{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE43548E8BECE6400C20233589385813,SHA256=540BAAFB9A248F00B069E26E3639F976A5CF202A76159DC8E5812C7AF07CA0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075759Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:43.865{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02B96A97C40B6446758620712C9FA14,SHA256=9974E8096F8E630ADCC6D8C0983889DEE600B3666A85CA3ADD09ABBF8C9171BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078026Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:43.626{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078025Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:43.626{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB55C8E47950839FD8A93BB0A243444,SHA256=81BE66AC88EF9FE24D7DC4ABF9836EC1213C07A50DB700F99F1A949077AA6CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075758Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:40.247{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075760Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:44.880{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BEF1CE72567F65B1DE020A92608881,SHA256=6A4DC25E9A9101BC34E8970D661BD9C3781E05AE618A097599071D6960AE75CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078028Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:44.642{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078027Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:44.642{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3E82361B28374CEBC6044FC0944F43,SHA256=DBB13F3FC3043D0BFE0ECB8B51E57A14554476087DD5E542CE3F9AC0C220CE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075761Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:45.943{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD09BC79F2076BFEFA306F41FFC709D,SHA256=18B2173D3E897C373ADDD187C5460A53FBC9598BE2AF4499FD50B65F1C696690,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078030Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:45.657{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078029Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:45.657{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB87BB83A87BD688A32EEDB9059A793,SHA256=454A17DAC535864DD7BDA5D19AEBCAA974ED3B38FC64FEE14114BA5FBCAF0C05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078032Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:46.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078031Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:46.689{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074F2259DD894FE69DC8306B808B92D3,SHA256=4B49CC77212D746F9609EAAEB8FD21DE0E408F917D267B7A625DA89CF21D1E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075762Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:46.974{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A64217E14688697C4F9842174D6CEFF,SHA256=148AD7702AB3EFCAE09404440B9A4F2B222914AACBF7524BB115B2ED26E1010A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078034Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:47.767{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078033Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:47.767{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5765C3CF84FCDDCB5DC4946711665A,SHA256=3896891A9BBD6A6B243FDAC304880A6E08AB23CFB4C930BDDC816387B6524565,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075763Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:45.247{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078036Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:48.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078035Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:48.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CFBC7D9744E8C0D12CE067452A8DB7,SHA256=145FA74BF307C8EC4EBD0158CB7E8AD9FE04FF28C41AB84B62E5A72C36725AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075764Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:48.005{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD119E28490575BB0F984BC8BCA4EC35,SHA256=6CFAC9359D0C459D87391F745CA348CE7CE83640ED23FC1D3801FAA0D44C3C8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078037Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:46.963{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075765Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:49.036{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889CA0877182DACD1EB7F734CB54BE33,SHA256=A99DCC375F42E834F7909296F8DF40932C35FE8B0907E807D1CB9815B1B16C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075766Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:50.271{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5FA7249E570FEA1D5E774E86F51E80,SHA256=835D7AB1A1FB65F2634644FB1441F4384341C78432DEECAD2DAE11F7B8EBA443,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078041Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:50.392{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000078040Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:50.392{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078039Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:50.017{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078038Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:50.017{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EAA79DB038753E8DACBFD562095165,SHA256=BEF7DFE9349A1A895690FB3439045D5988C524A6A2B57646CB9AC16B3772D667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075767Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:51.286{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E996601F4E3CA5EA0A8C1D978F16166,SHA256=30DF333EA2674105697470E015AE56B9741DA40210C6ED3BC06DA4C1B320201B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078043Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:51.251{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078042Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:51.251{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C507986488D29C05B435C8AEBE5B842,SHA256=5D531045DBBB185EB3036A819142A18C70ADF17923A148CC62D49710A3F13EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075768Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:52.302{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4A25DDBBE9FF6113975C8BE1C79C1F,SHA256=F42B05A4A4143677CFC4205CDD11703E24A6130230AC0B61C6466E233FFFA968,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078046Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:52.454{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078045Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:52.454{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1550FF275962498C0542B27A966C438E,SHA256=3FA5453BBFB38ECE03F8CC83CBB9E6111A497DF95A26EC1AF1F6C8A946D29654,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078044Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:50.135{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000078048Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:53.470{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078047Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:53.470{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC0639266FC8E8D8DFDA2D1E76413AE,SHA256=D1D0D2F5FC5E245C16E39DC0BD313A9DC7AC522F971F29FAE08D6CDCF7DEDE17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075770Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:51.277{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075769Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:53.317{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F00E9A96CA6589BCFB366122B3FB3A,SHA256=1792028FDCC59D174A8A1F7FF35A09AA46744BEA94B13532492F6C009D21F39C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078051Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:54.704{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078050Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:54.704{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD95C7D2EA1D6180C26375058DACF88,SHA256=3EBF8E080392E78951ADDEBC1815A222390627EA7597D04012C26DDAF1999C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075771Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:54.333{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7088557D492D74826653C57E0D7103C1,SHA256=B2A2C91210F1D53FE5C7EA1EC18EFEC5D4F888AAEF9417D9AE2236925F0A8877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078049Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:51.963{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53559-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078053Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:55.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078052Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:55.798{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC853F2972DDB2AD49EFC8CB27989971,SHA256=F90E5E34368240998AB35FD007EBC812D44C80B6787AB72B29A1A1CBFF948294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075773Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:55.489{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=20057218F4F39D4D80597B43DB9C7761,SHA256=778CAD931784F97A86DF215160555C7B05CD50C9A5F56687957136599198DADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075772Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:55.349{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8792C55A7A6DA1C1ADB4C5A478BE477D,SHA256=71A97428EE420FB8E68B5D27B38EB195D9BB3BDB5443A4C13D5F4D04ACC69AD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078055Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:56.814{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078054Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:56.814{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1A9786F0A91CF389499C3F8003E7FC,SHA256=9B0048BBC5C737A9AAF6614F2152DB59B2FD0E620CC3C4DC1B2FE96E9D4B6809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075774Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:56.364{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28DC81A1E45A092F59F909F9388849,SHA256=51C40F967AFE87FBD35655F787C02299E43789C1CB5278F581C543E0C0AE590F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078057Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:57.829{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000075775Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:57.380{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DB34E5706BA21B50B5061448F2F212,SHA256=63603D0C1D76C699DF45E09026CDD81472F466229BE61D9E8BC96E747050A50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078056Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:57.829{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8189AB18DC3FFE7431FAC86BDF3CAC7,SHA256=ED7C6A3CA885EA6F3BBC7EF15D06CFC503359B3667A8245F94661252DC7B91FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078059Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:58.845{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078058Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:58.845{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1304CFFF96A3E445A8BE19A33CC8E9,SHA256=BEB344BC7CA4DC67BA22AFE2B9BCF0C29A8454F802F5C156205E0166764FF72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075776Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:58.396{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64053814E4F0A8622918425061764273,SHA256=01D82BB3522C30D8D63B2D8742E603C72FECACDD53D12369E39700EA8028A917,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078061Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:59.846{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078060Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:59.846{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601350BA8E93C6174F38A36F02A25104,SHA256=9BDDD5AF37088B6D89A01EDB707BBABDB9A22B22FC47AC3985510A9B67BDF2BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075778Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:57.308{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075777Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:24:59.411{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729160BD616BEC11F2D1CCA99CBAFC21,SHA256=8A051DF0DB39609651E5884C8891D21093EAAC15643E532DEB1AA5C99AAEA5A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078064Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:00.846{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078063Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:00.846{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B903FAC8CAF55D8C727A9AC69EF5DC01,SHA256=FB4D0024C106B450E8B3FA41422FAC3EC72CF0C129529F6E36A799E536BFF8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075779Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:00.412{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42AD1FBCA5ACFED500F5C69D9386068,SHA256=7CE89F720AE2E546C9EB44B203498AC99CB671A47B8518F7FB138F1CF547E933,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078062Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:24:56.994{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075780Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:01.584{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D1BFA4C8ED1A326D7D78EA9D83DAAA,SHA256=1322A5610C25A89F09136B1BE4833A3AEE085B4C3B73574A1E35742AF6AD5280,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078066Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:01.861{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078065Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:01.861{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5519B668A6E5898394C283C74E66E44A,SHA256=682B7F7D491A133A4C55246FCFF2F15053275A64DD3FCA49BE1150001C6DB5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075781Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:02.584{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AC323B512921C0D68CB5FB4C4DB633,SHA256=9DACB3CD8D85C90DA75D144734B0CF841A6ED4AAA472083D083E5FB0DEA22400,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078068Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:02.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078067Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:02.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B5F0FBBF81AB8F116795D7DDD52932,SHA256=E80405DD5B0F5F8C15F858F2DEBFAF06E8C5C6CCF838254112D889693E5C6AA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078070Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:03.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078069Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:03.877{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42272545AA5FDC14D4DDA46CC5CCE5D3,SHA256=B433F71887529E3D6E0538145F9931208B2C583D3FACE988DA3E9C2FE2B89EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075782Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:03.615{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAE0A5E8101425203AD61278C16C153,SHA256=2195CA438BC9800B1218CE0E8D0B8EA2D2A30AD34B76E404D242ECCA2676493B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078073Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:04.893{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078072Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:04.893{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1EE1B381836C61C362715C09BC64CF,SHA256=1ACCB3751333584DE25657BB66C3A68B92960D2CBA227BCABA92443D5BAD6B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075783Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:04.662{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF9EDC5478C47B8BFBAE1AF8B7C2AEF,SHA256=7D0A33C3EF5BFBCD7787A620CB08020CBD6D8ED3338F6BE2D02AF04FDB96319D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078071Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:02.760{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53561-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075786Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:05.709{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD040C8E5EC9865A6FE6D2A25975E27,SHA256=4151D1CC35B7122E6B05243162B8ED180D0F0201FF7E401A915267F8E566B149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078075Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:05.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078074Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:05.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B3ADAFE1ABEA45874B84E93ACF7397,SHA256=B1D94E7FC0F1FB2E0FCDEA33110184D77301C3E018261770217020B00E1977E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075785Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:02.608{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse104.248.36.610.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0163693-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 354300x800000000000000075784Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:02.325{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50643-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075787Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:06.740{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110F0CE1299A2FE49BF49332C94EA88D,SHA256=01F3B8EC286840046EFD7A00D493D0762CD7C6473718E2837E20AEEF20FD4382,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078077Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:06.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078076Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:06.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00E70E3A70248C682F04A37460BF1AE,SHA256=BBCD9B632C431F93515DD37CF99571EDC530768AD94E45274DB287C75658C579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075790Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:07.865{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5DAEFDBD083D0C9138D72D9AA2CEF,SHA256=DD7EAD0342D11BE53CBF5ADEEB5756159813A587D99D82D41000502D05DF4155,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078079Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:07.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078078Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:07.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CA26E822FDCB9E9B2732076796D19E,SHA256=4CEFB7362D573A5D4F38479FD17E18BD7AEE51CDF86FAE4E22F49162E3B7FF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075789Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:07.662{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F9A24BCAD853397540C3093954FFF69,SHA256=084C06AC54373ECEC89818AB34A30AA3C5391A1148B86C486427115819D95332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075788Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:07.662{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F7111BE4173B44B7F2778D3A4DE15B,SHA256=9A2219623362F2BACFCEBFBD80B51E845DD4126C7F62E9B26BC4F5E0C1686120,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078081Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:08.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078080Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:08.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CAF9D1B223D02D96600BB66C19B373,SHA256=88BA63C110958D25FFD0EF23E7B0D78191D09C563159A17D4FE56D46CAF4070B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075791Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:08.881{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F848C6781262EE078596C7F4FD7C8DCD,SHA256=98E47DFC41D44069A051F012BA29CB1B97D288FE5C6FB6CD5203192F42982996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075792Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:09.884{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2054FAF6E4218F44FEB4F772448E0E,SHA256=77FBDB1918F32662FD9AC6604AC2E541AF287E0B5AB40973199C47E1357E241F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078083Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:09.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078082Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:09.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017BE5E9129EA972C2B53D78E45FC81,SHA256=06508541C79AC74E41F96AC4BD0ED9A5E4FE3CA0A85EC55C5E96D3DC02BACA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075794Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:10.943{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C920FA8AB605F4897B3C50F93B084270,SHA256=3498CDB8313863D2088BA65D3A2384B40CD54CC6B34A26B72AAB0E6663BE74D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078086Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:10.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078085Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:10.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097433E51E883E9B244D1AC913CB549E,SHA256=DE34EA48FCBECA06CE179115B4BC8B809E005CA4FED9EBEB4BE5F99580A150E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075793Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:07.387{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000078084Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:08.776{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53562-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075795Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:11.944{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719A9D363F4A30AD97DAEFF37FFA1B4C,SHA256=FC2A6F6CE3928017096AAEB4B56C0C87B2BC76332DDA1EE2545C99FFEB59C7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075796Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.959{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7607C2FBE90A12A79A2318C1118DB95,SHA256=30C9EED77915077EC92A15E23548E61591505690495743CE3DC95CE422A1546E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078088Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:12.018{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078087Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:12.018{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78616315455D3969D6A7358B9FF22A53,SHA256=9799BFFC7EF864B899814286068582940E9FE5C6F3E22880127B13EC9ED11E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075800Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:13.975{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241AAA46C4088FF5925BA4CFB7149914,SHA256=F6408FE459BF929A23FB9E0E65C8318C7EDA4EB6BB0EA26877DFB4127E6379E5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000075799Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-SetValue2021-06-04 14:25:13.553{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x800000000000000075798Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-SetValue2021-06-04 14:25:13.537{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\855A8254-D5B2-48F1-A62F-BEB32BC6D97F\Config SourceDWORD (0x00000001) 13241300x800000000000000075797Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-SetValue2021-06-04 14:25:13.537{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\855A8254-D5B2-48F1-A62F-BEB32BC6D97F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_855A8254-D5B2-48F1-A62F-BEB32BC6D97F.XML 11241100x800000000000000078090Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:13.158{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078089Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:13.158{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4C4375B8B6F2F6A289FEB6D4DAA1E5,SHA256=A4FD49E09B113B3EDC8FF5110C3DA58361093060085FF75BDA32EBC3B70B5769,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078092Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:14.252{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078091Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:14.252{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66ED3874F204BFBFDD049520FD764E6,SHA256=D7AC814E9113F9CC08AE0E2F5E0DE4264FA22D98AC4D09C8D34C233CCC6FD520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075803Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:14.584{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB4EFD603BC864F28D0A5212F40E92BE,SHA256=85953BBE5E26BA32700E501A90DB98E825481814DDC439304D25D334B9AA11DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075802Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:14.584{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F9A24BCAD853397540C3093954FFF69,SHA256=084C06AC54373ECEC89818AB34A30AA3C5391A1148B86C486427115819D95332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075801Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:14.287{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078094Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:15.283{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078093Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:15.283{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE865D28211E3AC4A98800468F7D153,SHA256=F29E7C7AAE558BD76FF25D96E201D2142971AD062A229029122CAD5887359AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075810Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.744{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50647-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000075809Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.744{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50647-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000075808Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.735{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50646-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000075807Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.735{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50646-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000075806Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.717{89999F75-EECF-60B9-0D00-00000000C401}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50645-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local135epmap 354300x800000000000000075805Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:12.717{89999F75-EEE0-60B9-2A00-00000000C401}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50645-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local135epmap 23542300x800000000000000075804Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:15.084{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F40EEAA6615A593052F534C8D97ED6,SHA256=E190EBB8244EDEAE3AF913D17D5DB299808DB21230F103619BE560782BFCC767,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078096Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:16.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078095Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:16.518{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396C5700BED2146C66C7702348365CFB,SHA256=A7305AE1715FBAD03543B58C5960342B43FB6BF20E99F5040EA70AA654C5A150,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075813Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:13.450{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50649-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000075812Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:13.184{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075811Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:16.100{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9303FF3806671F4453F47B12C2487E,SHA256=29BB183929E91B95AB2918E4F56848D313C933D9B3E94BA6BD3354CF722BFCF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078099Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:17.752{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078098Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:17.752{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F83A5F1CE6AEEBCA7E891A396F3E24D,SHA256=9F1F21324026823D8D45CCB4247C33C489DA581F1D33FD7E1C0F0D9A8704CCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075814Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:17.115{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8E33EA80D147B71514FDBD150E9081,SHA256=1945CDB1CBE1A66EAD7CDBE6F69910623D9210F11B933E4A87F8BC7B3EC2E49C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078097Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:14.776{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53563-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078101Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:18.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078100Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:18.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64B4A43526FA3CEDB126CEA81728CBD,SHA256=AEA958D3F12695CA495795E5DEB03E732A8B53D9C52531ED9E1DE17025C04C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075815Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:18.131{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE99F3BE1FE000B3985D35DB7162560B,SHA256=53634636CE890EC44245C42194B1986FBF736D1F738DD095B34F302D7A05F6B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078103Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:19.974{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078102Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:19.974{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503F92005C0C39BAA6136065C8B760DD,SHA256=8DB2B315320657DFF784BC88A41147F2022EC42C99031DE01730A9C2DD0716F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075829Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37CF-60BA-DC0D-00000000C401}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075828Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075827Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075826Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075825Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075824Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075823Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075822Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075821Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075820Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075819Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-37CF-60BA-DC0D-00000000C401}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075818Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.790{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37CF-60BA-DC0D-00000000C401}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075817Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.791{89999F75-37CF-60BA-DC0D-00000000C401}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075816Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:19.147{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29903D637D0704EB05E89A9DE838734,SHA256=47BECB793629740E3DBA461455D2C70BAE49C53F53D405BE41DA22E6B0C2D735,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078105Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:20.989{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078104Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:20.989{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291B491D74BA60262CDE0C0373BF2737,SHA256=9C0F93F719A53F39CA53FEED6041BA9D0C513E2DD4236CFACA888B366E4E3E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075846Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D0-60BA-DD0D-00000000C401}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075845Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075844Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075843Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075842Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075841Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075840Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075839Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075838Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075837Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075836Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-37D0-60BA-DD0D-00000000C401}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075835Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.415{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D0-60BA-DD0D-00000000C401}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075834Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.416{89999F75-37D0-60BA-DD0D-00000000C401}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075833Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.290{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9A348588DC88301C7AFB36B7A7E7ED,SHA256=815E2B5D6672CCF374B6147F86CA0DAA0C599EBC5B553AAEE67778A3B863D1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075832Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.290{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB4EFD603BC864F28D0A5212F40E92BE,SHA256=85953BBE5E26BA32700E501A90DB98E825481814DDC439304D25D334B9AA11DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075831Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:18.357{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse167.71.57.13910.ent.x64.eval.us-english.gz-s-8vcpu-16gb-intel-fra1-0153951-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000075830Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:20.165{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FFC14285D509EE3B478F57E5A847C,SHA256=2E34F69FC9876E56A37D6994EFEF890137DE3E84EF163C3E91C9DC421171EF01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075877Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.995{89999F75-37D1-60BA-DF0D-00000000C401}28721392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075876Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D1-60BA-DF0D-00000000C401}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075875Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075874Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075873Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075872Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075871Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075870Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075869Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075868Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075867Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075866Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-37D1-60BA-DF0D-00000000C401}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075865Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D1-60BA-DF0D-00000000C401}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075864Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.808{89999F75-37D1-60BA-DF0D-00000000C401}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075863Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.555{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB303BBDA07E63FF78636FA99563B91,SHA256=BBAD78CF63F274CF38B59DE0B7D754B6C88A76C86308F8FAED102FE5C7094B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075862Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.555{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9A348588DC88301C7AFB36B7A7E7ED,SHA256=815E2B5D6672CCF374B6147F86CA0DAA0C599EBC5B553AAEE67778A3B863D1FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075861Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.259{89999F75-37D1-60BA-DE0D-00000000C401}4924076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075860Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:18.418{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000078106Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:19.810{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53564-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000075859Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D1-60BA-DE0D-00000000C401}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075858Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075857Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075856Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075855Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075854Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075853Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075852Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075851Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075850Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075849Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-37D1-60BA-DE0D-00000000C401}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075848Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.087{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D1-60BA-DE0D-00000000C401}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075847Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:21.088{89999F75-37D1-60BA-DE0D-00000000C401}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075892Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.652{89999F75-37D2-60BA-E00D-00000000C401}51161016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075891Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D2-60BA-E00D-00000000C401}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075890Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075889Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075888Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075887Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075886Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075885Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075884Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075883Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075882Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075881Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-37D2-60BA-E00D-00000000C401}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075880Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D2-60BA-E00D-00000000C401}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075879Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.480{89999F75-37D2-60BA-E00D-00000000C401}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075878Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:22.292{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FBF2801436B5E16A655155FE54AC5B,SHA256=E7564717B702469BD940BBE4B48020978051124938D189CB3B6332051089B856,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078108Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:22.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078107Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:22.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58ECE42BEFE928BACFC2520A24CD98AA,SHA256=6E794B7429E96467B6DE2355383166F9A1FCAE3EC4E0D7DFECB53FAD0B7B183E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075894Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:23.398{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D11BB57E49491AB597965ECD68E7F25,SHA256=B7D68BCD58EDD09B074B3F338F95ABC2EE619B57370AD667F1FCCB3190E87A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078135Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.130{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078134Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.130{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078133Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.130{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078132Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.130{3F3E08E7-FC3D-60B9-2F05-00000000C501}37522884C:\Windows\system32\taskhostw.exe{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078131Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.130{3F3E08E7-FC3D-60B9-2F05-00000000C501}37522884C:\Windows\system32\taskhostw.exe{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078130Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9525008C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078129Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9525008C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078128Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9525008C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078127Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9525008C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078126Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078125Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078124Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078123Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078122Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-F094-60B9-1700-00000000C501}12005988C:\Windows\System32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078121Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-F094-60B9-1400-00000000C501}8842340C:\Windows\system32\svchost.exe{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078120Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.114{3F3E08E7-F094-60B9-1400-00000000C501}8841080C:\Windows\system32\svchost.exe{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078119Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.099{3F3E08E7-37D3-60BA-130D-00000000C501}18282484C:\Windows\system32\conhost.exe{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078118Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.099{3F3E08E7-FC3B-60B9-2105-00000000C501}3032948C:\Windows\system32\csrss.exe{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078117Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078116Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078115Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078114Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078113Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-FC3B-60B9-2105-00000000C501}30324004C:\Windows\system32\csrss.exe{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078112Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.083{3F3E08E7-FC3E-60B9-3405-00000000C501}9525252C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+20f260|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1700e0|C:\Windows\System32\SHELL32.dll+16ec6c|C:\Windows\System32\SHELL32.dll+19e878|C:\Windows\System32\SHELL32.dll+16ee06|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000078111Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.096{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp\test"C:\Windows\system32\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\explorer.exeC:\Windows\Explorer.EXE 11241100x800000000000000078110Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078109Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:23.036{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F051967E4F5A21B26FE30E16C342F3D,SHA256=C098B22CF68C4475B52812FA93BBDE808A71E8E4AA37439D58DC2824E4510AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075893Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:23.039{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E6048D747F0C00BE39DDC36A681E4CE,SHA256=938CFFAAAF8092733A1AB8DA454E099BD499CB511C4FACA71F332BEBBBD7A842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075908Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D4-60BA-E10D-00000000C401}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075907Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075906Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075905Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075904Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075903Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075902Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075901Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075900Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075899Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075898Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-37D4-60BA-E10D-00000000C401}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075897Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.572{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D4-60BA-E10D-00000000C401}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075896Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.573{89999F75-37D4-60BA-E10D-00000000C401}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075895Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.416{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB4085BFCB4E3D49EEC5A73885A02A1,SHA256=6EF3CD28C28AF54BA523B7F34E956D58925793977E806FCCDCD8985CB7CE1FD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078141Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078140Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B82AA9B9F729F57E148C64A31EBD7D86,SHA256=6E9DA3C3BA05A1D08EA186FDB32B9DACB2C28DFDFB6A670193E5C16151BA80E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078139Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078138Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ABE017D71173A9BAF446C75DE45968,SHA256=7CC5648C7E42B30FC0593B4611805BAFB4438645A6B2348B88836FAE9004BE03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078137Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.052{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078136Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:24.052{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE168056F415BD0D1EBB86E6D04D3AE,SHA256=2EC0AA3C51840DA149D2CE5983E822F9BF8C95F0D3DBBEEF49DB2E2180EA0A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075924Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.713{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBD128F38B396F5BCDEA92425FD99E3,SHA256=551C536F69C31DF90E45FECDBEC257459CEEF9E1212045575E29FFB8B7465A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075923Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.713{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F340161A0810318898C6689E9E2CEF5C,SHA256=3B345D17FF186998E318531064D658273C16D30BD4375FD7456E61163A8D9BCA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078143Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:25.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078142Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:25.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871ECBE9AACF580A3E0D4AAFADEBF36E,SHA256=6589791D77B85D8235AD724D4F3C1286A8F6B34B94FD8F490EE96D53386857CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075922Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.416{89999F75-37D5-60BA-E20D-00000000C401}50523816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075921Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-37D5-60BA-E20D-00000000C401}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075920Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075919Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075918Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075917Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075916Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075915Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075914Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075913Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075912Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075911Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-37D5-60BA-E20D-00000000C401}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075910Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.244{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-37D5-60BA-E20D-00000000C401}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075909Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:25.245{89999F75-37D5-60BA-E20D-00000000C401}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075928Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:26.947{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F810CF964EC5C5332C823228204A1A,SHA256=A4415A28C4DFE0A4AA02B355CAE9F47A09D216D7D07B053C7B029117BE3C6EF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075927Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.438{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50652-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000075926Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.438{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50652-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000075925Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:24.391{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078145Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:26.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078144Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:26.067{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593FF1CBAD672A84428C75D6E1FC9FF8,SHA256=567817C98451E05F1C4340CE834DFC889869B5FF81F1F429350E103E0459A08D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078147Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:27.083{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078146Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:27.083{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB3AC1CFAC4A2F6A1F257D42B810B83,SHA256=7053C0467F0A35853268BFBC7039773093FA4362D4CBE91582BD2AFF44F86795,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078152Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:28.395{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-06-04 09:21:24.810 23542300x800000000000000078151Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:28.395{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=982C18576AF415036EBE4A0135A9879A,SHA256=843FAA00588573E5915DC79403F5D8371AC9833A3E2D4446CFFF92B669999875,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078150Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:28.099{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078149Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:28.099{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49CB55A6D87ADD22D802C25CA86087E,SHA256=B8978505DEE8B26B54F7423FBBC09FFB1CDD2ABB592123FF0D149C0943EAA874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075929Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:28.104{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8B1D7544951A6C14ECBC777DC9774C,SHA256=8AADCB5FAC3AB0BD844F3ADBD09D0C709BEDF36218898530BBDF03C015B28C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078148Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:25.810{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53565-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078154Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:29.114{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078153Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:29.114{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8E33D275E67BAEE87F1BEAF29F0131,SHA256=F602750FAF109533DF0295F29616CE1856FFDBAF9683F8955F011B7993DEE0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075930Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:29.119{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5E702FCE3F97339AA180210CCEF21E,SHA256=4188AE97C821A563824C772A8A1F55C001D09375617A3C85E42F10A6B1C67B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075931Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:30.135{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AED03B9E479F06C9AF5A02A087AE00,SHA256=BD2611C1A51B7481865101D335674F40514E57D73266B68A16B7E7F6F67D973C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078156Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:30.130{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078155Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:30.130{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA2776415B375E1F9A33010F5F5412,SHA256=27C5EEDA376BC074D183ABAA87A43592926C2DB5AEF4851C1A0A3E720B40ECA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075933Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:29.422{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075932Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:31.197{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC8B3B4A7ED8F16710B7C2ECC022434,SHA256=D8BB5A23FBCDBF0BF9498499C5E083BCA975DA5A93BE7F1B55D1947E5A3189DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078158Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:31.131{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078157Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:31.131{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ECFBC6A7B05D6D5F1B4845C1008481,SHA256=B261A38FF2A91974E205AC7381DB82A695277F0215253A64F4C134304B234E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075934Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:32.213{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2ED93A8A8EA73D85340302B70E84B6,SHA256=D24AD8736C13F354B247C075ACD70BBD91DB61BB7044E6BC8CF6D19D5F6184C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078160Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:32.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078159Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:32.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83354ED7AA478B80DBBCC80087FC332,SHA256=413D1E1341E6CD78834F77B4B67FF57BA84C612E131B54A0A82B8858B35A5E5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078171Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.568{3F3E08E7-37DD-60BA-140D-00000000C501}41085920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078170Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37DD-60BA-140D-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078169Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078168Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078167Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078166Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078165Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37DD-60BA-140D-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078164Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37DD-60BA-140D-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078163Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.443{3F3E08E7-37DD-60BA-140D-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078162Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.146{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078161Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:33.146{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9028AA76E87B6C447789B3847FB287D0,SHA256=9A5E44AC15130762BA2991479DFCB06E56E993C90C0A7DE248A5507D11F43F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075935Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:33.276{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8C4BCD6248B68EC695582FDA9A0E1C,SHA256=DD60764A61388EF1E2DD7EF0F9AA046970AEBC96DD6C9E5B428FE82E35C8BD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075936Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:34.276{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7633552BA3F076CAEE5D862FBE622BB9,SHA256=0D63994357E91F4753967488C434E64D639BFAD822822A7BB8F06F4361F9C431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078201Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37DE-60BA-160D-00000000C501}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078200Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078199Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078198Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078197Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078196Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-37DE-60BA-160D-00000000C501}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078195Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.786{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37DE-60BA-160D-00000000C501}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078194Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.787{3F3E08E7-37DE-60BA-160D-00000000C501}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078193Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.458{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078192Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.458{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC64F0D83216F38EE178D8A45C11DF5,SHA256=5A78887FB18A4475F659CF3FA97A8005CC62040870689E73C3F1BF1A4F21EA67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078191Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.458{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078190Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.458{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B82AA9B9F729F57E148C64A31EBD7D86,SHA256=6E9DA3C3BA05A1D08EA186FDB32B9DACB2C28DFDFB6A670193E5C16151BA80E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078189Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078188Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078187Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9525772C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078186Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078185Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078184Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078183Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.443{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078182Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078181Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.161{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AFE454A33C3201C5C3A81408D41BCD,SHA256=5C4337D7BF12416B2B5BD3DBAEE27258FFBA9897F1B58398354FF87FC841CF01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078180Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37DE-60BA-150D-00000000C501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078179Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078178Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078177Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078176Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078175Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-37DE-60BA-150D-00000000C501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078174Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.114{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37DE-60BA-150D-00000000C501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078173Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:34.115{3F3E08E7-37DE-60BA-150D-00000000C501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000078172Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:31.854{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075937Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:35.291{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001435EA0430C38E201A714E1C2D03E,SHA256=37635DBA5BC9D915924FF8DD1C7F497061CD92E38B6300F5012154AD080AF648,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078205Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:35.849{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078204Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:35.849{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC64F0D83216F38EE178D8A45C11DF5,SHA256=5A78887FB18A4475F659CF3FA97A8005CC62040870689E73C3F1BF1A4F21EA67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078203Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:35.177{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078202Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:35.177{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9CF342EBD5937EF4AF7FDB4E132140,SHA256=9CA66E2897B9063EF1801EDF4EC60E39FC8C1DD7D9F55B90E3FED7961DD2CCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075938Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:36.307{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAEE0EB57E13AED82908F682DF35F50,SHA256=E4212B89404E6719AB38CB7C8F2A970A8CE9F02C9DAC6D87EE0983D8E9F0AC22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078215Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37E0-60BA-170D-00000000C501}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078214Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078213Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078212Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078211Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078210Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-37E0-60BA-170D-00000000C501}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078209Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.333{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37E0-60BA-170D-00000000C501}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078208Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.334{3F3E08E7-37E0-60BA-170D-00000000C501}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078207Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.193{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078206Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:36.193{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8164D5CB12A68E6318D0C19CAD03B9,SHA256=877373FFA6E0ADEB69DEB0AE2DE945003A10FC10E8C40061387437EAB175B595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078237Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.802{3F3E08E7-37E1-60BA-190D-00000000C501}50002908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078236Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37E1-60BA-190D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078235Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078234Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078233Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078232Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078231Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37E1-60BA-190D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078230Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.677{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37E1-60BA-190D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078229Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.678{3F3E08E7-37E1-60BA-190D-00000000C501}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078228Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.349{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078227Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.349{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=724B62968063B3F9AA1A3FB0556699B9,SHA256=6824BAA40A3CEE42E92596ADAFD17F1D19944DE5C8303C80F55BA9DFD3AC1E99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078226Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078225Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9064A4F0859CA0B4AE5600446C38843,SHA256=B37ED4BAE252A1774D707526EA04BD807B42149FFE78FC9CDA531F5D13189886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075939Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:37.322{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F31275B5023CCA83E29ADF1844CA23,SHA256=6BAA98C76C7D3C042593BBE226852AB0211837FD7A5DA9ECBD7C13A2FC59292A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078224Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.130{3F3E08E7-37E1-60BA-180D-00000000C501}60245652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078223Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37E1-60BA-180D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078222Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078221Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078220Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078219Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078218Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-37E1-60BA-180D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078217Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.005{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37E1-60BA-180D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078216Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.006{3F3E08E7-37E1-60BA-180D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075941Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:38.323{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B97FF735E44DB04EF8795E2995207F,SHA256=533DCD411CBD3D9036387B9285AFFF2AFFB9CD453BF4C3B149EFB2931DD1B559,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078250Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.693{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078249Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.693{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D1C287F340830B97AC259D2DC7A99A,SHA256=65559977A71C03DB636CC9E6F6A4C6BBCC79A24551A08FE26D4F3F090C9A38F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078248Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.474{3F3E08E7-37E2-60BA-1A0D-00000000C501}14883588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078247Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-37E2-60BA-1A0D-00000000C501}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078246Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078245Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078244Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078243Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078242Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-37E2-60BA-1A0D-00000000C501}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078241Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-37E2-60BA-1A0D-00000000C501}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078240Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.349{3F3E08E7-37E2-60BA-1A0D-00000000C501}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078239Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078238Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:38.208{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984EB23AA89A4E03DA741923950C3A5C,SHA256=C0BED8776AEFC555197610C9F56C8CFEDD324EDF57688110CF871244C5C4D38F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075940Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:35.188{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075942Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:39.338{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E62B7EBE0A29608149CCA2CF25538F,SHA256=C4789BFA42031E365B9C05F636B21AE9AC48BF6F9E918B4FB692A559932C2A3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078252Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:39.224{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078251Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:39.224{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B73C95B14117A958034F05938A8CFD,SHA256=5A21AC76A9C181D32B537A864E2AEF7571588354C6FAA1EBA9AEAAB37FC2CC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075943Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:40.341{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475A2B5B935AE0D739644715C6F3C1A5,SHA256=17882B72BB3C8F228689557CFB43E7D03322A0131334D12E9C173EFC47A0BEEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078262Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078261Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078260Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078259Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-FC3B-60B9-2105-00000000C501}30322012C:\Windows\system32\csrss.exe{3F3E08E7-37E4-60BA-1B0D-00000000C501}5452C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078258Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078257Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.994{3F3E08E7-37D3-60BA-120D-00000000C501}25083204C:\Windows\system32\cmd.exe{3F3E08E7-37E4-60BA-1B0D-00000000C501}5452C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078256Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.993{3F3E08E7-37E4-60BA-1B0D-00000000C501}5452C:\Temp\test\conti.exe-----conti.exe -p C:\Temp\test -nomutexC:\Temp\test\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=F49B9F0D5AEFAA1F6431C18774B83553,SHA256=59A9F0DE96EFF57768E995B296AE75778A232F30D95A7B7AB5048C621B50C66D,IMPHASH=165166DAF912EEEDE18349A7B86B5288{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp\test" 354300x800000000000000078255Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:37.841{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078254Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.228{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078253Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:40.228{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C342A92D1640661AFC1847F9CD64A0,SHA256=B238FC5762BC4E11EC28265837153E5D3C22426CCCD211F074486BDFDFBBF39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075944Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:41.341{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AF042FA89A2F3974E55A5151EDBD9D,SHA256=9CB274EC946FA8288F26AC1626F8A7BD6B272FA4FA85F090380D7FFCAB7DEB9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078266Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:41.978{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078265Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:41.978{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59671C8E7BADCF682F7A749E6A6AEC0,SHA256=8F8DDD2B6137ABF7FF136DBC83C1D0AF7D35C101301402AEE1590B41AF6B9456,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078264Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:41.228{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078263Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:41.228{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A469553DEA17D91E9E9B72FA5D3FAC40,SHA256=1A30239312D554E98EB2D448A1E192D99872F03C62E45D482423D1273A6297E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075945Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:42.357{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680313E8A285B780DB17B25DB7FD0144,SHA256=539D22EA53B4E91C20A7DDA57549A65383B85B178A5883BBF436283E6CC42943,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078268Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:42.244{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078267Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:42.244{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE51AF1D8A0D9AE3D461120E740EFD,SHA256=99A5268B84FEEFEBE387F0E745026B4677B29BFB8F7E6EF707EE88A507B4C5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075947Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:43.373{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F7D28D0939362BA5444577B8A41A63,SHA256=366DA4C6BE35F0E767EA6F634CE26947F63643FC79CB7AE477ECFA0E2C2902B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078270Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:43.260{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078269Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:43.260{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F6E85A4D84DFFE5B47512D14276DEB,SHA256=8D16FBC6F6FAD4C183674A9C67419F9CA126F12C89C9AC35A3CD3FBF5FEBF209,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075946Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:40.269{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075948Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:44.373{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A50C36CD7B7254C1C4074863B5AB24,SHA256=B1361B1503B11CA99102B6AB51369D3D00484654EA26BAEA97E0329936AF31CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078272Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:44.275{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078271Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:44.275{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA28C0F091EDEEFD296F9FA9AD242CC,SHA256=4E046BAA99A656CC744B64CD949233CE71E74D37EB32E7A3E5D5710BBB2EE9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075949Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:45.388{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16119C46A4931EAF09AEBB7B56137BF,SHA256=5506F1E9064E96237F898C71B1E827DA60992E26019131D4308C967C0BE0ABE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078274Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:45.291{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078273Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:45.291{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3B3934293DF91163014C16C3F4F9B9,SHA256=36A9A76E60B40F5EA034A854F64FEFF3E55DD2ED1B0556C2D1CE2937C22A69FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075950Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:46.404{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3290ED7CE59FD96884D8053A9F17C,SHA256=429D1127A1E0811FF2E78C29F1094EC0C4E38EA223EC82D382D8E1EA77D55ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078277Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:43.861{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078276Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:46.307{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078275Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:46.307{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042698E0AECF4DB3828396BED76B50AC,SHA256=FCD0CFAD83779A6302EC561AC5E8B0F58FCA82084DD8B05366C01CAE7EA540B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075952Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:45.300{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075951Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:47.419{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D88AA10E9FE01AF6086BE91CEECD8EB,SHA256=4B3B61C906F1754AD4D5EE5679B7B0A5BBFA3072B9EA8EB5A4D65E6CF7B2D045,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078279Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:47.322{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078278Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:47.322{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342D8587F50F367E0AD2EF624DE2B9C0,SHA256=E2E64754567E2DC04300CED0C93CA8E13CDAC1820F970875278A80C42D3D7485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075953Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:48.435{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E90A921DC0E655109AF99B691BC0EC7,SHA256=E549D4E54AE83B8BC13D6083C932A459889D1DA948AD76E68EA1189382553924,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078281Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:48.338{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078280Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:48.338{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9BBF869733214B2ADFA31779F1EF8,SHA256=5DBD6844E16C50BDED5751EFFF6DD439478D21BE4117791B5FCA630E1B3FE246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075954Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:49.451{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B133E9C8CCD042D7CD0B9BC6A054E2,SHA256=869BC69032269B2E0DE91C9EF2A572F83029894F090A0FD802635F95CE692F45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078283Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:49.353{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078282Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:49.353{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C05B0930E4F45AC8F651DCAE6AD4E6,SHA256=C7EB85A97BC3C44CA121D71E6BA053D6E3C57FEA4B9310B93E0206D6AE9F425C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075955Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:50.466{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC5C9AD8FC1F8082F50A7CD422A141E,SHA256=D68BEF7140C4BBF22EC5CA75D22ABBC4B3F6BB38AAB614A37F90497700AA7817,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078288Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.510{3F3E08E7-37E4-60BA-1B0D-00000000C501}5452C:\Temp\test\conti.exeC:\Temp\test\readme.txt2021-06-04 14:25:50.510 11241100x800000000000000078287Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.416{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000078286Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.416{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078285Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.369{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078284Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.369{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7A8D83A2C0EACA6D7FB6F5FE6F296C,SHA256=87DBE33062E4F25076426D1C1C7EC206485DAEE03DBEE9E799C73C80FEDDB321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075956Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:51.482{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2C44415BF6449B569D2F60CFFE0A1C,SHA256=8A59ABE784427C0AF0F2AA20CEA5080E724A1033594BE2B029393B13C753B8E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078292Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:50.142{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000078291Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:49.830{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078290Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:51.385{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078289Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:51.385{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95DD8245A7382404B73EB800BE4A67A,SHA256=B2DA56287AC6A69E5483864A3543F6AEFFA00AE5F52614F5D8BE8508CD867A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075957Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:52.498{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A425CEF95747687B3DF72AA4FCDE6DA,SHA256=DA5686BB8668E248B797D14A80502058EBF721A242A9F7786C2FDF2DD84A9F96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078294Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:52.400{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078293Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:52.400{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2C7A02F531DDD4F5DFBB7DA4497D50,SHA256=97F07239443132B6D261AEE28BD2177A3E7F926AE3621C27495B5E790DA7A5B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075959Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:53.513{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F53A207F7BACDD06E283F52522B5D7,SHA256=F4201739A457B756A121786C4DBC4057B90EC99012C64662ED0B9CDD802B2ED4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078296Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:53.416{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078295Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:53.416{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3073BF9FC2E97A6DAA6DDE1F730B7AF0,SHA256=F62C23E586944EF319A1463D50FFA0AA430E8FEE45C097F36540A517C9BEB36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075958Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:51.331{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075960Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:54.529{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8A3A169D1BDC2EC739E56F1F6B3531,SHA256=B5CCF1110BD4C733FBB12BA62355722D1591E7C6575DFD632BF924DA560CF9FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078298Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:54.431{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078297Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:54.431{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A094D7AB9DD10E5AB1FEE2239B9C1B7,SHA256=D18990EBAC24D050ABE9E51FA3F6B0F397F2F96122CFBC2DA2AB0E8A203F3748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075962Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:55.544{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5339C0C7B167DECB40782190CA6BFD1C,SHA256=1DFB28692127861A6AF918DEC9132251016D1533681599AD4A99C3B7320240B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078300Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:55.432{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078299Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:55.432{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD471222FCEFA9D0005A02722BAC250,SHA256=B91068440AAFDE4DE92679B19BEE799333B9B4DAC2ED6D92CCF32ECDD8DA2F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075961Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:55.498{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3271E2FD4020F8751AF5274F2074BCBE,SHA256=8AB49C43889E3C6E188DC5B0EEF916BBFF882A9B3E8D401700CF98D4102335A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075963Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:56.560{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4888CB8B93EE9028D0040575EFFE0F3,SHA256=68A77115D02217D68CDAAAF80C6F903EC98FE5C8A5BD0706AA1C964185787283,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078302Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:56.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078301Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:56.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDCFDE12B5807F1BD97514CB2D40C4B,SHA256=DFA920D3ABAE4994ADDEB56B14150496670F5EAC3FCE4CA0C90095315C26AF7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075964Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:57.576{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748FB290E763CE7291AE13ED72C89516,SHA256=DC8A6EFC3F6BD76E3CE883A2C09C5DB60159ED080AD45EB96462266C4C1C85B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078304Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:57.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078303Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:57.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72630333BA54F30DE8BDE0464179742F,SHA256=7105F7B1495DE249C533CF2F42C595B8C932AA01E788E64B6081D37940AFCF0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075966Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:56.331{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075965Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:58.591{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573CFF0BB2A1F574C437390CC2398322,SHA256=865539D6ED7B5F4E9AD38F7A91D7241CFBB835EFF6D438AF17E6763A64F0C2A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078307Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:58.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078306Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:58.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8600489E4FD7D62F18CC48DEF0EDDC21,SHA256=084B4FEE5FE0C3016800377EE237B5D623B6A000979AD841DCC6F683BDDEB35C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078305Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:55.861{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075967Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:25:59.596{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8C9DA20E68F4B515CBB79078CA3066,SHA256=4B1C44AB428786A92130A72C848FDE8CD615778D0179FA08446796C9B84130F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078309Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:59.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078308Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:25:59.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DE8AE1EDFE1221C83B34D369FE2623,SHA256=64CFA32CDEFDB3623CB433ED97525E11F4940056781D519C9D1ABA3D22828B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075968Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:00.612{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1DDDB20D38730ABD7D11BB076F14B3,SHA256=8DEC6FE572018DE08167BE2E6A3EDA6BC16E16F0DAFCD67B4A43A8AA87D6250A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078311Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:00.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078310Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:00.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BA9E9562708CAFB51DC46062D9FDB7,SHA256=CAC464EDEC30CF9C4749EF7197212182006AC915980F5F320219AD043AA2DBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075969Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:01.627{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD608CDA79B9F334E5AF4399E9CD0E2D,SHA256=38B09EAE5B6D1BA66FF97436B569EFF901B99584ACAFE3F3CDAC1CB91C116448,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078313Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:01.499{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078312Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:01.499{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EBB5B7F96A0C35F3F6DC54D0BE05B0,SHA256=AEC2C70F9431EE71B9D7E0E32A718C914787F2C41767FDFB5E1C5495ED8304A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075970Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:02.643{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D233108085B5F90A35025124E72FFA,SHA256=4E9136D47189954CF35069540172BE146FD734CEBE8174242AEC7E486CE7BEE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078315Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:02.514{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078314Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:02.514{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC33D2502773B9C63958DFFF64F9364A,SHA256=5E3B35431D0139479A6BA033FCA24C076FCA34C25A56D2769947E08F84CC8372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075971Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:03.659{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42800923BEFA12288C15C0D00398A3E,SHA256=3A95FE42153E26D7E39E9625082E074AE5CD448CE6EBBF68462D9C9E2E38B99A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078317Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:03.545{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078316Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:03.545{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6814E255293E531C203D95A70D4CCFBB,SHA256=2C961A81DCCC0D8BC7065B96E4075574786A3143525AD0DD682C0EBA19BC3497,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075973Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:02.367{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075972Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:04.659{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99483CE79A9C178D779EB705CE0F4CC1,SHA256=731B18114AD0298160F9678445A598B83CEFF8BCC6E2EA38C2091CA247EA8611,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078320Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:04.546{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078319Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:04.546{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DBCB6EDEBA5183E7EFBA8FE08CD75F,SHA256=4476AA9DC8A3B699A52E3A4B9322831383695848C207CD5D2AE219555AA06B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078318Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:01.850{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075974Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:05.659{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D830C1269B79F74A35B1BF5B06A11650,SHA256=CD7EC31C1488E1F3C6E2A716D207648464B01D41F87BBFA7492BBE543EBCB462,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078322Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:05.561{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078321Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:05.561{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D26FCD4E1D564783D84E61359A95A16,SHA256=CD9CCE961E5ECAA244688268A9DD646D62EF4808A238EFD67879B5C64F47709D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075975Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:06.674{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F090BE6F2D03D1E37DC71524AE3663C,SHA256=BFEC9391989252964CF34502D83A6894CF14CB33AF61A7A93A7053F056475EB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078324Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:06.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078323Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:06.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D85A26EAD8CB3C3C521DA0FB0D581B,SHA256=9AD1DE6CB9FD8A6E4D21B48872485504122D3E36CFD281A03DA1AD725FCF6C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075976Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:07.690{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6197A98E06C20B2E4A9570F545BB09AE,SHA256=573FD683737B19427A2688EA7482C1DE1866AE8006B759FE2E26ADA78C120352,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078326Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:07.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078325Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:07.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06864ED827B0285329369AA33F0E5568,SHA256=7034ECBEBE65B2C6FE5F97D88F82F7A11BC3BF10E57907E1E04823DC8D65393D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075977Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:08.705{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B54C26D4691F0047232B0F4677431A,SHA256=F2330925D1ADA36CD2567910848D321A31D62D8AA780E42323157ED946390274,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078328Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:08.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078327Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:08.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE1D4D9B76F08D22A09B174FBD202FD,SHA256=F127E195E554BBAF2F3E59E8100B2700DD70423C9C1AC44303B46365DA8272D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075978Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:09.721{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210BCAFA2931C3AB897F640AFF38BB29,SHA256=CD76375D981811F9279DA41FB20B735C28DBE0C66C70E2DBA5DFB8C839734510,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078330Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:09.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078329Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:09.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BADE9C06F5439AE7D19FDDAE598D3B7,SHA256=E6217D6A0CB93E0B3FFA60132F82D042296603A9849FB389FD0F7C909C9D4AFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075980Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:08.383{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075979Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:10.737{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89280805F03434367C01EF17DF622B32,SHA256=24A0E79C9D278CEE078C044648091035279095CB23529D2977E7183672833433,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078333Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:10.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078332Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:10.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35085173C0A853C134BCE866B1CBC812,SHA256=D08D872EED3262929096B6B88813C38D7FBDB60D6438F336C4B6877CF959892A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078331Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:07.897{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075981Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:11.752{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBAB356C8EF3B404F80BDCD7C490F1A,SHA256=3B073A43F3CA485ECCE3BE04A440692CD80458CD0E9305702CE28C67A12A10FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078335Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:11.608{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078334Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:11.608{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF61ED62096D9B321470EB9D4747BEB8,SHA256=65B17A38D3525F6712B0F1201853410AED4CCD7CA91E3F9B43BE27B07158015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075984Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:12.799{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41C55069064317BFA31532A8CB09005E,SHA256=78151136CBB7BE1136B7A10668395C842D1AD2299F3767E144F27740698D3F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075983Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:12.799{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2EBE13E69BE49F30853F0675D67BCBD,SHA256=0D7F4375A0E67F7AAA427771FCF9788598986FCC024B2665B0023C9FA7C1CA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075982Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:12.768{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13FB6C239E784AFA4BDFB10AA7D9422,SHA256=1B6A76385D47DEAF531DB296CBC644F45A9BE9E28C7BCE12FCAF88D7AC07AD23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078371Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.936{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078370Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.936{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04CEE934E6B34C2F1AE3EBCE7491F4A,SHA256=6E7ACC9C5E2609792CFD9B3999C318B49055EF953C16B52C1C0E7C30E91E50F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078369Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078368Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078367Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078366Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078365Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078364Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078363Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078362Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078361Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078360Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078359Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078358Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078357Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078356Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078355Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078354Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078353Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078352Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078351Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078350Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078349Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078348Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078347Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078346Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078345Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078344Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078343Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078342Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078341Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078340Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078339Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078338Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078337Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078336Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.124{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075986Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:13.784{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EB7B70C81FC9EDA9E7B98A8DF64441,SHA256=96D7B99D1FC21709D1207DBB24CABEE664588199A1768848851AE0C8D5B90414,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075985Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:10.443{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse167.71.57.13910.ent.x64.eval.us-english.gz-s-8vcpu-16gb-intel-fra1-0158419-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000075988Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:14.799{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E9CD81A977DE8473FEBB5A249F9E3F,SHA256=9C090F108790201DF9732E5953153BFCE86B8EA078B92E9BEC059367424F2712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075987Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:14.299{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078373Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:14.014{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078372Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:14.014{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C23E600FE85C056AA3B0CD4CB471E72,SHA256=92E5479D8026FCDB3D80A3C45627B39609A8F81EBE58AC1CD9339639CF841EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075989Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:15.815{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CD9AA0874E9A3C4E0B4EFBC383E593,SHA256=D15D0340B9D93C158A2F0476ADD8A6F36B7F244DFA1E7BCC275408A59737307B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078376Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:12.928{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078375Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:15.061{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078374Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:15.061{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1765A6E9E9C0DB3B34678B51FF058D1,SHA256=B89F42BCC77725E22F6223CEB7539730D9A2E9CA00180A6D7B58B94A8B91317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075991Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:16.830{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEF625566BA49C8DA46AD391212B590,SHA256=84D867C416035BC517D971BF881DB345978332C216FB601A7042EBA92BF81C6F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078378Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:16.233{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078377Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:16.233{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A58BBAEC6475D81A555BC8BD636EC4,SHA256=82C2D3204B6705D2E6DD5B662051ECFB0658B355D75C014316238F548C45EF42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075990Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:13.476{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000075993Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:17.831{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DD49C75BEE40C641357893AEB89129,SHA256=C5F8FEB608B769E9878EC5DE2D4E5FD3719A1A61638C5378FA5BFACD3B17CE0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078380Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:17.467{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078379Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:17.467{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D70774FCC7EFDDA26AE72035CF672B,SHA256=050FB95D206BCC246356CAB82F2C14977AA3AB33FDC0AB4351FD7272F7605C30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075992Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:14.211{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075994Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:18.846{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DCBA1960299B48F3CD9F0B72805516,SHA256=772BD79862ADC47A2F3A38C5683C65D758B6C6FB2FC26C09704695893C91BF59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078382Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:18.499{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078381Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:18.499{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3905827069BA935726CECB945B9440B1,SHA256=1C733DB59D1765270730416ADC97CD1243F102F7E8AEF12CE8E1574B1CCBB930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076010Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.975{89999F75-380B-60BA-E30D-00000000C401}1100648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076009Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.850{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C41C2F332185AA9F81E86C4924F7BD6,SHA256=B2B36FC574627517399A097418EF7632A881AFAF673AEBBD6A538C66D135FA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076008Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.850{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3972F154F767331F643DF26D976CB971,SHA256=021207F3929738BB1AB3A7672835D336A01EAD9B6DFC6DD24F0276B16D747812,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078384Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:19.643{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078383Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:19.643{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA62AFB49CA6A8B76C7A07910B601766,SHA256=B3CE26B87A993892801F05B0472A35830C69CEFEE33E7E2F6798D67BE3F32614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076007Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-380B-60BA-E30D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076006Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076005Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076004Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076003Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076002Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076001Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076000Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075999Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075998Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075997Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-380B-60BA-E30D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075996Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.787{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-380B-60BA-E30D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075995Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.788{89999F75-380B-60BA-E30D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076026Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.865{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEBE9352D34579CA936A8DAA8649CBB,SHA256=7EB8ACD9989F7644DDB9FF3845A8EC3B6A3EE42A3F0EFEDD29769EDBFAB29CCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078386Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:20.706{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078385Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:20.706{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4688149060E245A0992D93D3BEE9359,SHA256=37A4613C692D005D4E65D247F6BC265875D36BB37BE3D0365647B37F3074F9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076025Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.834{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B663C47FA2CF7A46D4AA99039B869F,SHA256=835CA76F81B2F21891304C76B6C49E3382513199F343D8F40CED90EAF69754F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076024Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.834{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41C55069064317BFA31532A8CB09005E,SHA256=78151136CBB7BE1136B7A10668395C842D1AD2299F3767E144F27740698D3F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076023Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-380C-60BA-E40D-00000000C401}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076022Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076021Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076020Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076019Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076018Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076017Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076016Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076015Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076014Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076013Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-380C-60BA-E40D-00000000C401}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076012Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.459{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-380C-60BA-E40D-00000000C401}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076011Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:20.460{89999F75-380C-60BA-E40D-00000000C401}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076053Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.990{89999F75-380D-60BA-E60D-00000000C401}45761076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078389Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:21.768{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078388Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:21.768{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C0604CC24712D382045620BF3B50B0,SHA256=1B13D4DCEDD1DE93FF0D03A798CBD2D0071987F0EFF60867F0817896ADDEE521,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076052Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-380D-60BA-E60D-00000000C401}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076051Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076050Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076049Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076048Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076047Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076046Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076045Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076044Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076043Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076042Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-380D-60BA-E60D-00000000C401}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076041Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.819{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-380D-60BA-E60D-00000000C401}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076040Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.820{89999F75-380D-60BA-E60D-00000000C401}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076039Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.131{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-380D-60BA-E50D-00000000C401}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076038Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076037Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076036Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076035Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076034Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076033Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076032Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076031Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076030Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076029Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-380D-60BA-E50D-00000000C401}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076028Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.115{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-380D-60BA-E50D-00000000C401}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076027Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:21.118{89999F75-380D-60BA-E50D-00000000C401}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000078387Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:18.959{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000076070Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.694{89999F75-380E-60BA-E70D-00000000C401}50403596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076069Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:19.246{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000076068Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-380E-60BA-E70D-00000000C401}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076067Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076066Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076065Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076064Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076063Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076062Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076061Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076060Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076059Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076058Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-380E-60BA-E70D-00000000C401}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076057Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.490{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-380E-60BA-E70D-00000000C401}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076056Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.491{89999F75-380E-60BA-E70D-00000000C401}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076055Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC08D1ED1735046205649873E44A7E62,SHA256=7E4ED5213DE130C2C6784E6248E7FF86EA8F79279334AB2ABFEE5035FB49A495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076054Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B663C47FA2CF7A46D4AA99039B869F,SHA256=835CA76F81B2F21891304C76B6C49E3382513199F343D8F40CED90EAF69754F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076072Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:23.492{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B54D5DCCF14B43CB446E8D9D7EF6C30,SHA256=15D418D0092EA9C88F0E31D187BD7F77E3D4206470797939D96F2425019D3D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076071Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:23.226{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED68884E0F7A2B5CCAAE6BF582160EA,SHA256=56B99EDF804BF268F9418C789E318ADB9CB65CF450599BF197E4DA8098ED2CCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078394Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:23.127{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078393Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:23.127{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078392Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:23.127{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078391Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:23.002{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078390Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:23.002{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7052C655E28133535253E781C747783F,SHA256=191F323848F838EDBF086D2D90031FF5320E3E13A0BB2A4110075C9DD30C5BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076090Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.317{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-392.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50678- 354300x800000000000000076089Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.317{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-392.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64989- 354300x800000000000000076088Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.316{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-392.attackrange.local49579-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000076087Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:22.316{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-392.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal59696- 10341000x800000000000000076086Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3810-60BA-E80D-00000000C401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076085Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076084Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076083Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076082Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076081Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076080Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076079Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076078Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076077Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076076Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3810-60BA-E80D-00000000C401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076075Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3810-60BA-E80D-00000000C401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076074Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.598{89999F75-3810-60BA-E80D-00000000C401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076073Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.301{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAAD4345B7108AB119D60E46E0CDD7D,SHA256=8B76F157A0CD9D8DE28DEC88A0AF5162CA2738926810839B02FD88062BC955E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078400Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.206{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078399Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.206{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73925083897CF4C112A335EC76DDCC99,SHA256=46C32022F218B2D119A1E603C8B615841B61DC0CFD4B57723313D6CC10B55DEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078398Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000078397Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E2D3CAC60B6F0B1A1A6E484DDA71F97D,SHA256=823E4784B1041EA0DC861D1B14D66D3CE4A6B0C5551A3B4BC273237F575C876E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078396Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000078395Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.143{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A88BD4282E01BF37B0BC9359E2D0BBE,SHA256=A265D6D1ABC9E0D2130409D764F2A86A874C92908DCD82740CDE79C51B6CC640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076106Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.788{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71009643AE7BA31AF93C60F396554DB3,SHA256=F663064A1D9899A66609B615ED8B0A2C096A8B8957FF95C86E738DE441A86F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076105Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.788{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDF09EEE50225F13DA4BF678502D58E0,SHA256=07EF0FC955EEE52F4900C8363114DC901DEBE57CCC72A200DA074BB71FC67176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076104Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.460{89999F75-3811-60BA-E90D-00000000C401}23965068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000078403Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:22.881{3F3E08E7-F094-60B9-1700-00000000C501}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53576-false93.184.221.240-80http 11241100x800000000000000078402Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:25.440{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078401Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:25.440{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3269746C8679BB513DCDAC09CE8AEC30,SHA256=7043B9A1CA0D932840CEB9E30A35CCAEA50E75298D0EF08DBA9E8F9EBF383292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076103Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3811-60BA-E90D-00000000C401}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076102Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076101Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076100Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076099Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076098Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076097Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076096Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076095Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076094Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076093Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3811-60BA-E90D-00000000C401}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076092Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3811-60BA-E90D-00000000C401}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076091Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:25.273{89999F75-3811-60BA-E90D-00000000C401}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076110Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.450{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50665-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000076109Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.450{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50665-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000076108Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:24.262{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076107Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:26.476{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFA9D235F7FD459A99329B6B093E09D,SHA256=F1EB55473C3120BAAB3D4BDB3214507BA3995907A1B9161752CEBEF5A7DE657C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078406Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:24.962{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078405Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:26.487{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078404Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:26.487{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6857F94127721A65F76941F8F9016B,SHA256=424DAF405046E6E330A3B2498FBA0D9D48A7C3BA3501A6CCE0DA197FC270486F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078408Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:27.581{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078407Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:27.581{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D4A5CE2593C7F85252C2C3CBA7B96,SHA256=91673849EED37380BC4025ABA6102FC93B8A0CCBD55D1E6BDD90304CB63318EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076111Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:27.554{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749D7B9075B71D09D9B19FB2B67EFC4E,SHA256=C942E5E790628EEEEFBA8E113E66ED451A9381D36E6563C0D4BD861037CA443A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078412Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:28.582{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078411Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:28.582{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E96E26297D129F8E48B6E83B39FA8D,SHA256=23D1DCB574720D06F1BFEB84CC7DC7DB92366FBD58FF09722CC31CD0B0EB62B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076112Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:28.585{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88BA696F68420B8AECB1BFFD0B58221F,SHA256=6AD6546962D24B1CCBF5F6A34DB6605A27A2F20D84F9D048CD4EAC82BD02E269,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078410Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:28.410{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-06-04 09:22:24.815 23542300x800000000000000078409Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:28.410{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7BDA50E3B3910D3D259C881E67E44ECA,SHA256=C78DC205764CBB1A3D7CFD1FAF09B9CF86EB83E331AA6AE4E54B95684766E57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076113Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:29.679{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A36695ECC78D5034BB4621150A17F10,SHA256=DDF75EF14B050E431E8E12FFC353FDD20B9507682CC1C1A1EB6457C98280032A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078414Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:29.613{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078413Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:29.613{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E148D503EE6FCD57A3139CC1F0C5B013,SHA256=DC993910381E87A3BB93A7529021DF706B29ED6A8AC9E2463337A6E67C0DAD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076114Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:30.913{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38EB3DAC8216AA7640A25DDCB15155E,SHA256=2283AE84BE10EEA8C9D501D066B682E6EABF1973CF72F306321170A807758517,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078416Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:30.644{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078415Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:30.644{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E9FA9ED801EB0C67BEAADC747CE6AE,SHA256=D1431344F2B85763BDE0DC1FECE4433C333F1B9CACCD99186654278C9A75C0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076116Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:31.913{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE3129A3C2F64A4F3A389B8F2F0C189,SHA256=D829A612D98F6A75068011C50EA657CC8C02A1D06D0B4BBF36679A6CDED02FC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078418Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:31.676{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078417Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:31.676{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBC51B1F0EE1611C575E6299834EAA,SHA256=49A1A44D780C64896EAD46A776894AB4E36071FA7A4105328353736F9D048ADF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076115Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:29.293{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076117Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:32.929{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122560E7FD6D9E5ED639BAFD0FBCD3E1,SHA256=65E7C73B2FC2BAF7D0683E49C9ACB8C9FF778993508CAA14C124447214312286,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078421Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:30.948{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53578-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078420Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:32.676{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078419Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:32.676{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F001348CADC5D6A91A0942B7E69C0219,SHA256=4E322783A61E7329664D1764A691EF469123E19C927CC555443253F25A043C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076118Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:33.960{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F65F9628EBFA5751A891B0CFE1AD16,SHA256=0C4EB112B0AA89EA273C3E9F515E08B59167FF784D27BED97EA6F83A0B68868D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078431Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.725{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078430Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.725{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7245243DA98098C0CEF47920749517,SHA256=79A26DB43798A83C29335959C74EA0E96550F1F9E04147F67AE5218AEB88BCCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078429Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3819-60BA-1C0D-00000000C501}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078428Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078427Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078426Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078425Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078424Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-3819-60BA-1C0D-00000000C501}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078423Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.459{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3819-60BA-1C0D-00000000C501}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078422Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:33.460{3F3E08E7-3819-60BA-1C0D-00000000C501}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078454Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.806{3F3E08E7-381A-60BA-1E0D-00000000C501}13324488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078453Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.744{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078452Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.744{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EB16954E972138511658090630150F,SHA256=19B63E85DD2837440611D3FD7C0BA2C9760DD2256E922B9007232C8B41AC3381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078451Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381A-60BA-1E0D-00000000C501}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078450Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078449Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078448Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078447Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078446Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-381A-60BA-1E0D-00000000C501}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078445Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.681{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381A-60BA-1E0D-00000000C501}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078444Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.682{3F3E08E7-381A-60BA-1E0D-00000000C501}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078443Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078442Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87CC7544009F00C33211C9B7EFD913B,SHA256=53849D1689A486EED994769DF19858096050FF35E2D52FA6E93203C72616FE4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078441Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078440Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BF1C4BA84D9BDB617A34ECEF0A4CE6,SHA256=39C383D625AA1236FADFC9952222C6584DCACFAB0103DB0BD1FD736B967306D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078439Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381A-60BA-1D0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078438Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078437Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078436Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078435Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078434Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-381A-60BA-1D0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078433Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.056{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381A-60BA-1D0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078432Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:34.058{3F3E08E7-381A-60BA-1D0D-00000000C501}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078458Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:35.759{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078457Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:35.759{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54311AE97229D7937A409D7CCCB3E57,SHA256=952ADD0C276E8144338473E6AB4B51CE40B3129DE4649AF2E4069E0F002D7ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076119Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:35.007{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AC8A8AF3C3823C837856194758E094,SHA256=0C14172D7EA9491060943B3A089840D4F3B0543E10A147DDC3EB778191A28C49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078456Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:35.681{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078455Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:35.681{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87CC7544009F00C33211C9B7EFD913B,SHA256=53849D1689A486EED994769DF19858096050FF35E2D52FA6E93203C72616FE4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078469Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.885{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078468Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.885{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6F617EBB3C0DD7B12C708FF50EFF97,SHA256=254D88161DF36CA1BF3F238739054990336B1448399969E750845166F427FF3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076121Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:34.325{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076120Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:36.022{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C22CC6F2BCC0E6A1E71369F85B7447,SHA256=26D8E9EBC4EBE3EA87BAA94E6A66C9FD9D125386FDE045C3DAE6EFC168B42B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078467Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.478{3F3E08E7-381C-60BA-1F0D-00000000C501}55323392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078466Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381C-60BA-1F0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078465Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078464Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078463Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078462Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078461Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-381C-60BA-1F0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078460Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.353{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381C-60BA-1F0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078459Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.354{3F3E08E7-381C-60BA-1F0D-00000000C501}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078490Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078489Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546F7EB96207C2C581CD845A16D957BA,SHA256=2EDBDAA1B64C69DCE6E3733369FF3A808E7ABD53A961A0ED23B83924CDE3D344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076122Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:37.038{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488D74CD66BEE910BFD1C87C215A300,SHA256=AD9A3687CC1FA1066F6BEB4CAD9A81EC0098ED641C35B33110BE84717ECD0385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078488Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381D-60BA-210D-00000000C501}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078487Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078486Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078485Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078484Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078483Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-381D-60BA-210D-00000000C501}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078482Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.697{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381D-60BA-210D-00000000C501}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078481Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.698{3F3E08E7-381D-60BA-210D-00000000C501}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078480Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.384{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078479Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.384{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE91373D5B90BF94A2EE5CA5C4FE071,SHA256=F3C568EE51E70F36D2096149CC32EF8BD5548ADE7F8A07223409205EC7422110,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078478Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.150{3F3E08E7-381D-60BA-200D-00000000C501}55404464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078477Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381D-60BA-200D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078476Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078475Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078474Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078473Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078472Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-381D-60BA-200D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078471Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.025{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381D-60BA-200D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078470Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:37.026{3F3E08E7-381D-60BA-200D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078504Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078503Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BAE5DCF63CA8DC39306C39053C8F5E,SHA256=B32338F05027E03406620BAB1AB13784CADAC3601FFABE59AE69D97920687515,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078502Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.713{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078501Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.713{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ABFCE2DD9DA13148860CE5827038E7B,SHA256=EC8C6891A17AEBCDD5EFB927E50C5A1BB1204446E8BA92CC80415BEB964EC1A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078500Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:36.907{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53579-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000078499Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.494{3F3E08E7-381E-60BA-220D-00000000C501}41125560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078498Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-381E-60BA-220D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078497Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078496Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078495Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078494Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078493Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-381E-60BA-220D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078492Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.369{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-381E-60BA-220D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078491Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:38.370{3F3E08E7-381E-60BA-220D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076123Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:38.038{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66E5A096F00DAF30498765090ADEB11,SHA256=33BF2E32E841788CE2DEECC4FFCA10315D3FECA99E8B2906BA1159F7C315373C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078506Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:39.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078505Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:39.908{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FD7144EB549B83EBB644CF759C8AB3,SHA256=D8CC9FB4374F7F1B3E6176927CCAE8344C643C1F4FB5B377C1A115F8AAFBE6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076124Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:39.038{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35623C209D5879B2B45FF8A52BA7EA60,SHA256=6FE47A8BC0EF17E4467671907B041E423980F78B1E0FA7F992E247A6C5166688,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078508Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:40.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078507Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:40.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C29E9CCBEBF4DF501FDE3CFAE89BA6E,SHA256=BE631F80D053A4BE91AA7A44CA412D69FEC5C6B2D79F80336B415DBE624146C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076125Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:40.052{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945DF0DD24B50BCFD439B25582390B1E,SHA256=F761D791986A45C3DFD62261C97ED6FD8C6A1848264D8A2B97D78A3A61530C6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078510Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:41.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078509Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:41.924{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3544FB3FC5019F57080A2D25D121C2A,SHA256=5A6CE682189DCBAAF628E62F0FD187E4708901A1EBB63B4B0B6D42F02DCDD559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076126Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:41.052{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E95FE0274EC067CDDBA62D29D8B4B87,SHA256=DAF6CA158B4B67A0DB0B16518ABAEFEE84181526CCB951C66B5CB119178249CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078512Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:42.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078511Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:42.939{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE62F878849973EC10A0BD878D10E2FB,SHA256=57E650D6A3EA613D566595365541C31445801E52E7C8FD9B3DF77B4C1D475CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076127Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:42.068{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8358B6C4EFE24DCA6D0393421F3FEE38,SHA256=6CB7EFBE4C45CD56E1D25A7183781D4325EC716061C360CE476A8543A5D1D23C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078514Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:43.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078513Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:43.955{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F445A9F117FC634C3BAF992562B3D8E3,SHA256=AE9225C245FC20739F6B324F30E062213591EE0C9B2144FA925D4A07D3C3A873,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076129Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:40.354{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076128Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:43.068{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC8B1CF7659601F68C2EE7F61196DCB,SHA256=E9C5D82C316D156F27DCEF928142C5F65923E5274C312528A811020117670279,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078517Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:42.946{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53580-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078516Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:44.970{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078515Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:44.970{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E51ED9A347FF111AA183E748DCCC3E,SHA256=12A6BC9389F30C42230A19438A0E420583D8F205F3FD9CD5D6AE4D0C95A09AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076130Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:44.083{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF811FF3024EF01592F28FE060E2C56,SHA256=AA032F2C8EA799CE8870E46F02BB5E36B49A4C029DEC1D5F6B9D52756FA3D189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076131Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:45.099{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE37B08BFC2A5583E7CA09988273991,SHA256=B3F2CABF0873D334940EF0080C51F0494E97C1A2B30B03B005D10771E04A7833,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078519Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:46.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078518Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:46.033{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B7F947D46FB653016E006CB033EE54,SHA256=3072408B438F90D7C4FBE2D03F5795E797F66AC292CC8D0864439844BEC7FBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076132Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:46.114{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CDC9457F2315FB51C8AC01B8126407,SHA256=B2B4B03557B203E2010387F463F96DDE943791E0866DE88BD0FF38283F65FB27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078521Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:47.064{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078520Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:47.064{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011DCFABCC2D12B0C5240D14FC098D4,SHA256=D0A0DD7AF612EEDCB294D42C068ED7678322904C38E079C0E7C0B3397A344869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076133Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:47.130{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256BE6274DBD33E8BD18C67884F995D3,SHA256=C0CABD4A1B8B207CABE56AA7EC13D586DDD134F8BD0C0FAD3BDDD42A74CD581B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078523Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:48.080{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078522Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:48.080{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA576E39245300DA1C8D50CFBC62D1F7,SHA256=5A5E1F5AD355496B3034429050D62D7769045A17F42FBCEC88EC950C1FBA94EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076135Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:45.354{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076134Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:48.146{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94745AF45F3A5CD1D19642662A58C1E1,SHA256=BB8BECBEAB405E99A32F0881627376DA004D75B91297D09C93EB85807C1A9E42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078525Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:49.314{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078524Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:49.314{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD73D4D885A58849CE751E99D52F9E42,SHA256=22830D8FEA6F2CE3C13C3A399C88D402D68EB396A6C76B2E95B2A3C105CBD238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076136Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:49.161{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BC3F49B75735A3C4E4F2E119698988,SHA256=54961DCD9BE0C6D9C9F89BC682832FF4B0BFB27F9DB3265F47CD141B8CABC54A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078530Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:50.455{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078529Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:50.455{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8CFFA9AB7CE4990797B6B4889A94E5,SHA256=412D12DF65E54C71E3A2CA6F283A44D30C07D126BDE85ACFC2A57E1F673267C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076137Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:50.161{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7196E09C4E824A7BF096D5B1299D801,SHA256=53249CDCA6373757782E2A34646E2DF78C5BD9A9FD77E6D4D2D8C9E65E579728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078528Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:50.439{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000078527Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:50.439{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078526Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:47.977{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078532Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:51.502{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078531Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:51.502{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F5C453ECB0EAA23639DB2E0BC59473,SHA256=9EDA7FC431D56C7ED101B25FFBEADAD057B9055984B969F7ABDDE3891C060D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076138Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:51.177{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37393AF6C3123B5B688A6F1BC0FF1FD1,SHA256=E7542518A496EC3F1120D8ED87585C42A31030B811CF2C8F4E37FC1CC20BC44E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078535Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:52.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078534Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:52.549{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A67D812A76A4B76ED4646CBA4A1A4C7,SHA256=9FA932F479460F3A712A64F2B0CD45C383A776B71D1EB09C10BB9B2602BA8D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076140Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:50.385{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076139Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:52.193{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECD13D85F49E51F5D5AC9A17C0B4728,SHA256=B3685E8866B1EBBEACD9BC55727951619352E6DB543317A8B95EE7ACBF460BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078533Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:50.165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000078537Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:53.783{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078536Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:53.783{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C0013F16D7673C1969D177AF6EC603,SHA256=F4BA3DCEB5A3E17E4BA7AFC8A58F100A1F5BDF3CECED4DA930B9BCB0874762DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076141Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:53.208{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEF4BC4C48AAECA1987B3CCF0931A8A,SHA256=FCC81B481DB0330483AF9B30F82A8B03AC31B1845D5D7508F4DF7D128FCB35C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076142Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:54.224{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECC9EB56D31FCBDD37C7782B1C7330D,SHA256=1DB97A3F7B824C217FA45A0A271A084459F463546E08069058CFC8B304407C19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078540Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:52.993{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078539Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:55.002{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078538Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:55.002{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAFD3278B9996D6396DD8B7792E0C5F,SHA256=1FEEFBE66D7A9CB355E1BCC7CDE4E11127B288BC216D89D4519D03FF23AF5968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076144Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:55.505{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5B27A713B1EE9A1C41E429A68C02787C,SHA256=E62E2E2087F205087A79DD5CD560C183CA3A7FBE3662C87341B521BDE25B16CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076143Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:55.239{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658E0E1E5D9909E1B1E1DC3254662066,SHA256=E8553692AAD91FC6B334B81F837753ED420BE01236DD44F2A131523ED79C9D76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078542Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:56.127{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078541Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:56.127{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98967F757F53D2FC8C1AE93FC3F00361,SHA256=7B2DE32B32D1026C3C7E460FA94D4A4EA8C0CC2C4D835CA76DAF89B17E8C708C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076145Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:56.255{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA64D06DA938A036E0E61FA2FD9E0F3,SHA256=E75559C6397FA75B43266D890060DFA707D3C7A127024EBF51C938DC32499E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076148Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:55.416{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000076147Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:55.055{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse159.89.104.24810.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0163333-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000076146Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:57.255{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06386762679B67A260875ABFE3EEDB9,SHA256=0C10F81BB2D3A17942DFF9F41A5CE386BE651890034497F2298132343C9A6FFE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078544Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:57.142{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078543Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:57.142{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E645E481D8B0110EC73E8CAD0877D5B7,SHA256=F7E2C8A1E2311CED1CCD44A731DD05BA0AE1BEE589377DD028A4564AC922DE06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078546Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:58.142{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078545Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:58.142{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A30AC1401D28743CA42DC814006251,SHA256=3AEE9870332AA24876D81DD6655F0D7EB3A03AE61DDD18D1619DF1FE76DEA07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076149Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:58.271{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99864762C33674CFF85D955CCA53225,SHA256=B568ADEE3095619728EA599C89A2BBEBBD19B27B4297815D212C8A2BAD045065,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078548Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:59.158{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078547Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:59.158{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BBB211DE0A00E0C1E5DC22A7737C17,SHA256=224ADA02C3D436EE413678B417F1BEBA3408C9B82D0E10661A50A0CEE48C50DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076150Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:26:59.271{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B855D538093008CDD1781164B500DF25,SHA256=45B377236009FC07019552A48C999BE231AB1E6AAA9D1D8DD8E4E5166D5D4067,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078550Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:00.163{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078549Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:00.163{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F638C77594CFADE9F1D0AB68DF443C30,SHA256=19682CC376EB0FFC3B65949A1DEB082CA8B7A73C2BD35660E5BBF589436286E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076151Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:00.276{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58E4390AB415DCCEA1DAF64DCF74A53,SHA256=067348B3243F730F7B7DD1370CC250E4C5C697A26EA60F8EE3568D1A06131522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078553Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:26:58.790{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078552Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:01.178{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078551Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:01.178{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11312CD8DF1FF182A2138AFB710DEC7,SHA256=DB902559A634680FA29627392D139D2DAB567D93DF02B99DDC18404A1C0B324B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076154Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:01.963{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8C761FC4E6252B312C20996F01F86C,SHA256=AF40A1CDA5A4FD013B79032DA0FAF5A0CFC5F1EC40E399A533AB8169C447DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076153Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:01.963{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B56BEE4FC82CFA753F79C897FCF5F67,SHA256=58433C9C2FF38441AF840C97C92DEC851C4DC4ACA011395EA59B18FBE0EDAD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076152Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:01.291{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F9307C18BB3039CD5B82B4AA77841,SHA256=D848B0B9ABCFEAE33CEB02900DE0DD00EB743C3A790423CBF78255C6C869783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076155Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:02.307{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC91714C0D720B2E2E9F9F452272942,SHA256=6073570D259235585479DFC05C491F14A70F5D866AD2A70D0E1D74F449D83085,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078555Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:02.194{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078554Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:02.194{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1A8507CAE087BF481C6C2081E8FF27,SHA256=BB126EA9866C484C19D4DAF655F0F665E03E7E5426B4444692EBE0371F4B3FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076156Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:03.323{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBD8DC579ABB250938B14EB28A7115E,SHA256=8B9EDBFE8ED1AA7DE3177D57B35686D8FF6CE2DD75A2A8CC5D8BE709089FA531,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078557Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:03.209{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078556Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:03.209{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D328F827130331C80552BA7F41759F9,SHA256=844CE02E81C4607AD3A5AB85BF0462950F5EAE7EBDCB691B265C4E7593E5A096,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076158Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:01.218{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076157Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:04.338{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6511224153EF61352774A283E91FA5,SHA256=A75B469BD1C59274E6BE4EBC125A30C57801BF099559309A303806DDEBE116B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078559Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:04.209{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078558Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:04.209{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DABE54BFCD2D7C4D13031C9E354A75,SHA256=6C87945B52527182CDE8329ADAEADCA882E21915BE6CAF125257AACAFAFCF1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076159Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:05.354{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E18976CCEE0753B818AB317E9E1F89A,SHA256=47D586665C20A2A59B138DEDA79F5240A5631620DD9E3C083E9CACBB01D89CEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078561Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:05.225{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078560Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:05.225{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666BAD34BFDA2A2B732EAB0716A3B051,SHA256=0F51CE3A7452F23D571680AF9DBCF489D378BD6A9BDBD5A5EF46817DCD9E2D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076160Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:06.369{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB64874E156A3B99F51A1F0984D030E4,SHA256=2BC40F7DC76CAA2B699F90D2FEB174C2F963D7EED0A8F5C7D638F760691C28E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078564Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:03.825{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078563Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:06.241{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078562Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:06.241{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2400A586C46BF0B779CA3F204D072F36,SHA256=982440F686A5617EC4B8E47D4028A64BADD6844E07705212B86098ACEE8AF910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076161Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:07.604{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3747E657C84C399CEA9EAEE88723E00F,SHA256=0DCECA7799EDB9BA6CF1D0F3CA63A4D8DED9F441747BC1128D33463D9ED4E24E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078566Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:07.256{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078565Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:07.256{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42A19E03CB4D401396290F74AA398CA,SHA256=2AB9EDB17FF62B7D8BFA158A33796CB0CAFA40CBC6D9355D503878C93028F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076162Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:08.635{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40054910FAA8435AFF350A36E3927605,SHA256=50D29CA5EBBF22FAFB4CC79C120131066A4C8C0DC8287CA2543E05F6864ACD09,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078568Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:08.272{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078567Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:08.272{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E25517DDA7791B4F79940A5266872D,SHA256=30830A82E6EEBC61308018B43FB09EE4B2CB52249F632861E2C2E1582D398D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076163Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:09.651{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D139BAFBD26D6B940FBF517BBD1D37B5,SHA256=F066D918A498DE02965880E6679D43E119741065767BAE509294FB24EF4AD77D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078570Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:09.288{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078569Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:09.288{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930CDF712AC37EAFFDCD4F27D97C75CB,SHA256=4502F7738925B95F3CF72FA443ADC6FA502C450CE93644A35DD53683C0CB8D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076165Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:10.838{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1668333D9AB1007B63AA07B5523FB2B7,SHA256=D423B04FB460757919424DDDF4ED66EFAE16B64A577E3A66A7874951499D3276,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078572Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:10.303{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078571Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:10.303{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F65CFA504F7174A82D76C6A839188F,SHA256=E07DA87B23FFD77D0C2D8EF52DBF09229B088E894E0B1B84F6BA3F529E27C789,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076164Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:07.249{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076166Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:11.854{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF85B72CFE4DA84AD7F154836A57A07B,SHA256=3CC1DCFAC8D43D3F572EF8B852E47791654B49F7A8B4A94DA13A5DF3D33F66BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078575Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:08.934{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078574Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:11.319{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078573Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:11.319{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7295792A1F0BA325027645DACFD82373,SHA256=AD6F91786B6DF7B24F0A66055BC41B7FCDFEA11F37586FE2B344052C898A17D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076167Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:12.885{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E1655E47F4561C12F62F1C9BC077D4,SHA256=E6AABED7F06716177D1242F968626234D96D74FD5A5C6C479578FA3B5B759553,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078577Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:12.319{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078576Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:12.319{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F216E66855CF9A0BFE11F661D94D004,SHA256=112447E19BBFFAD2D416E7A358153BE4D73E2AAED7FF610E139B4289BEE7AB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076168Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:13.885{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD51C76AD66D3F065B4F8CC529FDD36,SHA256=785F2334C160DD9CA328CC1FDF8791EFB29A4FCDDD7BE606E4AFE0CFAFEC2C13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078579Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:13.335{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078578Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:13.335{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B07AADEA1007CAC26AB5C1096F330FA,SHA256=60F146E3DFD6BFFA0C59B6D78E57699B98416E28F52C8AE2C4ECD03E587080C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076170Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:12.280{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076169Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:14.323{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078581Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:14.350{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078580Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:14.350{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6B0F02CBFDA8D6181FC47928317ADE,SHA256=AA70BA973BF855B591769CF2A398DD64CC04ABFD4CD5B0AEA0F819D551FD62AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076171Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:15.104{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507B0449C8013482F315ED9FB488348E,SHA256=AAD5C4EA41847ECCA0BE437DC02865DEFCD780B50AA72751949AA379B22E13DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078583Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:15.366{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078582Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:15.366{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A544F3EAC39BEAF6EF829675CB791D0D,SHA256=6FD4562256D2833574A00939A18AE683ABCA6A9ECABCCE6C817B8A2079940B38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076173Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:13.484{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000076172Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:16.119{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460A55D3A560152A645F58C35CC81EF3,SHA256=EAC0FF97E401652C5357ED06302C21443132BB3391B614D9916A452B83BFAA0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078586Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:14.981{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078585Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:16.381{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078584Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:16.381{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657A0EBD5CD86DF812ED8738EE5AC3B3,SHA256=9AC94889C375A2CE21C2296DF0C6E12E569E7E97BD7535BBAC76BC3AF9195D89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078588Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:17.397{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078587Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:17.397{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37F6DC3D7A16757A3DDB7BF893CFC38,SHA256=33DFBD387B8107918F63CDCFC8F87C52292F775A0D8ACA4ECEFEDDB4DA173406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076174Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:17.354{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A36B30700B06936BA52DC9E9B4BB91,SHA256=61EAE01CE4C7597770FD6D695CACE7A8CFA01F6D2F36AFA6320CEFDFEF514976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076175Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:18.369{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67E62971A7AF50531E772F4315BD782,SHA256=91DECCD99D4174939E7A0611F2FB7B15A8B7BA4BDF3D6FC22A9359D37B277CD3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078590Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:18.413{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078589Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:18.413{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A5C975BBA2A7F6278C5BCA971A36F0,SHA256=0BAD5E81DBA7366859DC96B50D34B36EFD021B53FBE4CDA4527008F1DF406814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076190Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3847-60BA-EA0D-00000000C401}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076189Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076188Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076187Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076186Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076185Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076184Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076183Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076182Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076181Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076180Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3847-60BA-EA0D-00000000C401}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076179Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3847-60BA-EA0D-00000000C401}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076178Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.795{89999F75-3847-60BA-EA0D-00000000C401}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076177Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:17.328{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076176Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:19.385{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE27E9516EA752EEAAE65346A3BD2540,SHA256=6BFA6CDDE4A493503C5B368A46D267EF4204DCEC6A4E21FE2EAAA9F15071EF2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078592Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:19.428{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078591Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:19.428{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85D00D363CC57C92F178913A63140DC,SHA256=E93679A6C47A2394C9FDB07CA78578BD76FD0CDD6A1FA00EAA851F25C07C26F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076220Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3848-60BA-EC0D-00000000C401}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076219Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076218Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076217Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076216Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076215Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076214Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076213Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076212Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076211Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076210Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3848-60BA-EC0D-00000000C401}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076209Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.966{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3848-60BA-EC0D-00000000C401}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076208Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.967{89999F75-3848-60BA-EC0D-00000000C401}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076207Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.873{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAF13A97E623E9328C237A37A595890,SHA256=3344DEA6B5850FD1E9DC21A7AAFACA49337D85FB5CACB01135170F1DB591335A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076206Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.873{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8C761FC4E6252B312C20996F01F86C,SHA256=AF40A1CDA5A4FD013B79032DA0FAF5A0CFC5F1EC40E399A533AB8169C447DD0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076205Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.763{89999F75-3848-60BA-EB0D-00000000C401}36043232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076204Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.669{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB1DEE8F7511A31BE87E50D0CD0CAAD,SHA256=84D55CD377D907ED41C443FBDAC8C0214BBE8CA1A1478DEE076B565D1F532C5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078594Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:20.432{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078593Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:20.432{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA216894EE7D8DCA588EF3391CCE78A3,SHA256=72667F0399AD765C0A8C4048768DEFE87D08265E55D55F6420A38B59211918E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076203Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3848-60BA-EB0D-00000000C401}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076202Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076201Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076200Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076199Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076198Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076197Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076196Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076195Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076194Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076193Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-3848-60BA-EB0D-00000000C401}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076192Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.466{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3848-60BA-EB0D-00000000C401}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076191Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:20.467{89999F75-3848-60BA-EB0D-00000000C401}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076234Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3849-60BA-ED0D-00000000C401}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076233Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076232Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076231Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3849-60BA-ED0D-00000000C401}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076230Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076229Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076228Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076227Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076226Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076225Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3849-60BA-ED0D-00000000C401}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076224Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076223Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.826{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076222Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.827{89999F75-3849-60BA-ED0D-00000000C401}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076221Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.763{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73489E90E7C25D19968DB8CAB301B4F6,SHA256=3A1EFF4E6BEB85D0A256FC6D77B94C6C9C1E61126C0E71611CF7B14F76FE5768,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078596Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:21.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078595Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:21.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1742399F7B7E1FFBA9C0E69C832004BC,SHA256=414B93A4FF7B76E1098467E68E279C1197E5DF5B5AD8E858EEE3375D770564B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078599Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:20.953{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078598Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:22.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078597Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:22.447{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD9E943D4EE34FC3835FFF166CBD306,SHA256=33B4ACC1DC7F601256FC04AB99F6773856371819B7555FBC80662360B9CFE6F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076250Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.669{89999F75-384A-60BA-EE0D-00000000C401}34205084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076249Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-384A-60BA-EE0D-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076248Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076247Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076246Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076245Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076244Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076243Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076242Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076241Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076240Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076239Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-384A-60BA-EE0D-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076238Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-384A-60BA-EE0D-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076237Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.498{89999F75-384A-60BA-EE0D-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076236Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:22.013{89999F75-3849-60BA-ED0D-00000000C401}3681276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076235Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:21.998{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAF13A97E623E9328C237A37A595890,SHA256=3344DEA6B5850FD1E9DC21A7AAFACA49337D85FB5CACB01135170F1DB591335A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078601Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:23.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078600Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:23.463{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF2FCAAE6F9901030B927BC7977A679,SHA256=D868039D5899E9D7151A14C8F6E26A9A34A5D40EB9E568E8EE9C130D573B1CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076252Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:23.513{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91358428D6CA53942C1513A3A525155F,SHA256=3DEF013B45BE0B5AB0AB5B3E40FDB0ADE865D12CCEA8A8978640B1700B2C01E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076251Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:23.169{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186408BB29CD3866D7B3CA0343983DE9,SHA256=206C5CBB7366A7A9E07B9125CF0A47E621C1EA0F2D16850B22E2F3F165AE709D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078603Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:24.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078602Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:24.478{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B62ED15249EA06E4C1DBA6CE296DE68,SHA256=010F4E8CDBE97A73D2857D1A1AC1E9579DBAE09C86ADAA54E52C726A67CFCCBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076266Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-384C-60BA-EF0D-00000000C401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076265Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076264Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076263Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076262Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076261Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076260Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076259Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076258Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076257Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076256Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-384C-60BA-EF0D-00000000C401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076255Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.561{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-384C-60BA-EF0D-00000000C401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076254Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.562{89999F75-384C-60BA-EF0D-00000000C401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076253Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.374{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FEE1C0693F478479FFEA01DE4F7667,SHA256=126F006E78DDF726703C0BD58CA3BD4BA7B76ABE74DCEE0F3118B9C4E3F7C394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078605Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:25.494{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078604Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:25.494{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B43C101BE7BD0C63447BA836AD2875,SHA256=A349F5182DC00910C7D2B8FE65B410EDFBC9CC5AB91F35732BA96C5579C59994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076283Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.792{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5B801518914698D42D782941C9BC0E,SHA256=B1E055FFA41DE05FDBE8ED804239EB0191D717C2547C1BD6CA5DDC8516DF02BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076282Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:23.285{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076281Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.589{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C2161B74E87761EC03C2EEE96B06B47,SHA256=B1ED02CD7A40B8AF77BC3C92A8F70308A2349FFC5D74CFB5294197FAD0D66162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076280Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.386{89999F75-384D-60BA-F00D-00000000C401}34844320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076279Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-384D-60BA-F00D-00000000C401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076278Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076277Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076276Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076275Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076274Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076273Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076272Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076271Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076270Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076269Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-384D-60BA-F00D-00000000C401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076268Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.230{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-384D-60BA-F00D-00000000C401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076267Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:25.231{89999F75-384D-60BA-F00D-00000000C401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076286Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.453{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50678-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000076285Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:24.453{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50678-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 23542300x800000000000000076284Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:26.592{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAA97FE82A824CA39647BAAD60308C8,SHA256=69D53F164EAB2123D2A9846CB10FF5144CD96587D2D55B427689F7220EB6E608,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078607Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:26.510{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078606Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:26.510{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED73A6FED8A6348BE5CB1C2A5E8026,SHA256=4C43D29036FE9CA7B9F88C1EFAB3D88B1D61B74E8BCDF1D15B4DABB7542D5758,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078609Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:27.525{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078608Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:27.525{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761FC7430B0D854845CC461291ADC1CA,SHA256=642EF4C2A1A208333C0A1B35F2BFF1D6C744B4865D1001C42FA9093496534961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076287Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:27.607{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A5C9EABC3DA1ABDABF2AE28609EBCF,SHA256=F091A0FEEA9ADBBE47B3025F64A6845975F86863CF95BD567109EC68F187C9E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078614Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:28.572{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078613Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:28.572{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403B9B2EEB5C820ED066263D7775942B,SHA256=5CC86C5116B3FE8CF551C3519D9CD84085FBE2D85D0B45FD84774593B7144639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076288Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:28.623{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C46BDF139F7A7113B37DA4EF1937DF9,SHA256=2AD7805BD67774ACA8F821BF6B92446A8813681977F5A0459DD1D4D676AF6EC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078612Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:28.416{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-06-04 09:21:24.810 23542300x800000000000000078611Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:28.416{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2B165663AE1CEE695D29BB23DBEFB3F4,SHA256=6593D40D4F1FB7FF7F80DAA8724ED7515083C353F6535081CA30F3D3663350DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078610Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:25.953{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53589-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078616Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:29.666{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078615Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:29.666{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A205E208971BD7BCC8EFE580457D14C4,SHA256=2E546FDAF66D391371BE745D09E6277A31DF9681A582B7D3FCB05494C2122E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076289Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:29.623{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12EFB478E28CC6FCDCF93C8439AEDA4,SHA256=678F5A12C76C7728D4786CCD9EF10857C9C1C9F5DA381785950A200C5011E2B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078618Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:30.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078617Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:30.900{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7854B5C0BE5B740A34DDAAFAE11A921B,SHA256=AA1A6E908FCE0DE30BFAA162B2ED37713BB33AF086820ED6B9CC21C162D05B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076291Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:28.315{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076290Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:30.638{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37455335C3925C29712CC1FFD0697E40,SHA256=AB7A7A5C95CFAFFB8CB14A46C0E4D3855607261A577E7CE1F4D99623FA365C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076292Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:31.654{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED5BFD3DCFD7AFBF6D664075FF66433,SHA256=2760CC916F07C922AB71A279889915FF3EC582596050AA2C456E3A0C54F9829F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076293Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:32.670{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12D545B1293AE1B9E22874B3ECF4F5D,SHA256=1D916906FC4E885693665F38E63E02825FCC8EB45E698448D679EB0B46AE51D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078620Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:32.041{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078619Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:32.041{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885713011EF633C41A43668848A3DE86,SHA256=42C65E140D15CC3E7866A5FEA8F6937D65697DC85A7C300C75F8BE12C1B59959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076294Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:33.688{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F2C47F0405803A9BD8728FAA59F80A,SHA256=43D536B5CA3B6B31FDA334D15735B8AFD79E6999D91B246D97C8F2BA8DB37F42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078638Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3855-60BA-240D-00000000C501}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078637Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078636Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078635Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078634Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078633Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-3855-60BA-240D-00000000C501}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078632Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.977{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3855-60BA-240D-00000000C501}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078631Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.978{3F3E08E7-3855-60BA-240D-00000000C501}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078630Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3855-60BA-230D-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078629Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078628Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078627Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078626Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078625Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3855-60BA-230D-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078624Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.308{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3855-60BA-230D-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078623Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.309{3F3E08E7-3855-60BA-230D-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078622Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.167{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078621Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:33.167{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9300A13D2EDE75911CF3BDE39D1FB53,SHA256=F8902C7B82487865CE8B2EBA6F7135CB726D45DBD1924A5BA8D768E054173287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076295Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.701{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0717EB8DD138163A88B81DE65C43E1CC,SHA256=42AE7BD46BC85428AF57C1F39E4CD3F12D34965AFAC970946D21D0C6EED7598F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078654Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3856-60BA-250D-00000000C501}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078653Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078652Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078651Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078650Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078649Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3856-60BA-250D-00000000C501}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078648Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.649{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3856-60BA-250D-00000000C501}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078647Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.650{3F3E08E7-3856-60BA-250D-00000000C501}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000078646Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:31.000{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078645Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.336{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078644Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.336{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A54B77BFB071BD7E49061EC609386904,SHA256=5A835AEEB93CA3266E0B799E15FF7185DDE26EA8C9F7CB8ECB2208BA0FC37C6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078643Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.336{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078642Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.336{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A48F4B7183EBDB7E69E2E9473D909C4,SHA256=36E0049F3D025BC431F051A48E1D2FE171355BE43895EBE7A45416113AFD50D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078641Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.258{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078640Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.258{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C903C6BCB99A4B4F3EFEC353930F2589,SHA256=1A18CA371D4F005D256EA336439863835041BAA8DF87D8BAFB0E0ACCCC59CD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078639Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:34.102{3F3E08E7-3855-60BA-240D-00000000C501}6204108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078658Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:35.683{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078657Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:35.683{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A54B77BFB071BD7E49061EC609386904,SHA256=5A835AEEB93CA3266E0B799E15FF7185DDE26EA8C9F7CB8ECB2208BA0FC37C6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078656Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:35.480{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078655Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:35.480{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41E240E136527A483065E8208538A6E,SHA256=65250BD06C007EC771C7B9463008D1A908F45909B1E2601E705D17E107CC7D43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076297Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:33.230{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.171.93.206host-212-171-93-206.retail.telecomitalia.it63972-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000076296Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:35.717{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708A790A86A0C9AF55A391F586B6175,SHA256=FEA54D0945451DB21A1C8E1F241F37B44E2997DC77C95C83BF583BFB5323120F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076299Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.362{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076298Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:36.732{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8F0140C7245214BCBB447C52DFD7AB,SHA256=5A8326612735151AB0A40D28159F5F488E4A44DB4F04EA6EF22DFA43F1D9A40C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078677Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3858-60BA-270D-00000000C501}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078676Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078675Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078674Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078673Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078672Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-3858-60BA-270D-00000000C501}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078671Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.871{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3858-60BA-270D-00000000C501}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078670Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.872{3F3E08E7-3858-60BA-270D-00000000C501}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078669Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.527{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078668Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.527{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A525983E6F2AB411715D555410A812,SHA256=943F2021B83262DD448A3689382544D2B46BC33171F9EA5F02C229B34DB2D271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078667Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.496{3F3E08E7-3858-60BA-260D-00000000C501}5544724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078666Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3858-60BA-260D-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078665Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078664Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078663Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078662Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078661Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3858-60BA-260D-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078660Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3858-60BA-260D-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078659Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.371{3F3E08E7-3858-60BA-260D-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076304Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.924{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54036- 354300x800000000000000076303Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.923{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9800:472:839d:ffff-54036-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000076302Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.893{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local54036- 354300x800000000000000076301Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.893{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local54036-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local53domain 23542300x800000000000000076300Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:37.748{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570C1978C376F86D086CE5A884EF8616,SHA256=1F5B00C0A062ADA1902E771A8F6A27F89FDE118CD82EBD32BB0F069CF2851962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078690Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.621{3F3E08E7-3859-60BA-280D-00000000C501}6444312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078689Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.542{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078688Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.542{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4990ED1553650F6A9E4CF5ADBA2B00,SHA256=BB4183E27DF64B7638D84B424120E19AB32FF1EE2AF1730FA1248BA60903A93E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078687Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3859-60BA-280D-00000000C501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078686Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078685Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078684Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078683Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078682Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3859-60BA-280D-00000000C501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078681Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.496{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3859-60BA-280D-00000000C501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078680Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.497{3F3E08E7-3859-60BA-280D-00000000C501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000078679Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.386{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078678Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:37.386{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1325CB359F95934CBA2E79214C5DEB10,SHA256=A904BFDCCA852E1FB63ECEDBBD3170EC2AB40FDAB51ADC6184D4CD0CF3BF335D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076305Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:38.763{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB8A7E911AF68A07954F89047F8F56C,SHA256=3A5E75D8B51229A39408BDCA8A17D3FB2851C6AA44A42283291B8CC300957172,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078703Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.574{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078702Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.574{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FACC90C567DA3DA6480B3892257E62,SHA256=9A3F4CAB9D4EEFD5F40A301DA6012815EB7AB9EF1E74801C2B59E5A9E25DC7C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078701Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.574{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078700Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.574{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F40B9B1A41870CF44A1954686EB17F05,SHA256=91EA50B08BD50049D9E5A4DB123054A9A829E38960B5FFEF5BB500CD636CC662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078699Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.308{3F3E08E7-385A-60BA-290D-00000000C501}54043676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078698Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-385A-60BA-290D-00000000C501}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078697Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078696Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078695Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078694Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078693Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-385A-60BA-290D-00000000C501}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078692Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.167{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-385A-60BA-290D-00000000C501}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078691Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:38.168{3F3E08E7-385A-60BA-290D-00000000C501}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000078706Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:36.767{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078705Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:39.576{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078704Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:39.576{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D2EF1A6E368DBDAF57EEF483F4A72D,SHA256=58ED9A518FEE25CAF078521F7BC5F78562276F1B029F93BA5BC16A3F3292E62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076308Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:39.767{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF4DD601A983B03F7330312CDB3AA06,SHA256=6045365B217B8C192F454C27213E19C28F77626749928C232D756AF8C7AE0352,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076307Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:36.987{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse159.89.104.24810.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0161128-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 354300x800000000000000076306Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:34.924{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-54036-false127.0.0.1-53domain 11241100x800000000000000078708Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:40.655{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078707Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:40.655{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E88B53ED513E4F96609844F91F9D5F,SHA256=4784E7EB8B663D7EB9F811760326C8555FF65406DD83D3F41247B54DCCDE4E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076309Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:40.783{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB6BE968C09C6E288BD7D5E41DCC853,SHA256=19931C1764B52D1E83E9C61B67678F076F3560A57AAA5B9E9543C126F79900DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076310Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:41.799{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249A1DE5909306E1E8C878CB2BB9A39C,SHA256=B8C84EC707027A26A186D840F9B0CF5440EDEC596C8A9EF72A75EFDA0735DAEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078710Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:41.670{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078709Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:41.670{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556656D2CD19FB57FF43814C46F2A86B,SHA256=B6C334D54FD96DD7BC7C207107531245BE1F54F6DD4E210C413C996AE0B6BCB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078712Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:42.686{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078711Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:42.686{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86969DFB96F94B1362658D8B6B4B2F62,SHA256=7A8E5E0DFFF36666E812B3B53B20A71F6CCE16D34B945F17CECCEF8AF55B314B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076312Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:42.814{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56567A3D6BBFD63BC4A989517D2C5972,SHA256=948E1D235260C1729894D6F346E04DA5F6CEDC2B0B4F4B7F05394BB0C8E07651,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076311Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:39.381{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000078722Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:41.817{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078721Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.717{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078720Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.717{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F7BA06FA443FF48B6C982904229D65,SHA256=ADE422CCBB662A587BCFFCCDA5CB92AB85A62196E17DCED9112EE94ED0FD24C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076315Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:43.830{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD16128B5B57C7AC4E5265D45DCE69E,SHA256=E6512970F2F635949AE0B1680E17D216AE3037CE274A302A0332C2FDD4C18608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078719Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078718Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078717Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078716Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078715Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078714Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078713Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:43.389{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076314Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:43.361{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFBCAAF2CFB9D9421B28CBE207EA5601,SHA256=D70797B7A1CC3ABD1E3DE8325DA2E1009917FD4BFC562F93CA2EB419E806C696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076313Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:43.361{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F954A614BC339D6478613B2568751DBC,SHA256=219F960DF8AB40DB8900D8F83CADDDED71711AE16AC52DD45C15C3808220AA5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078731Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.733{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078730Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.733{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C089A42BB0F053B56A0FC89D2A88F8FB,SHA256=7853B522D620C1E5BBDC41B0B8BD4B37F9A36124BBA863EC5B5FAE81AB942246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076316Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:44.846{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34320CDD881A299E4C3AF596A491ABD0,SHA256=361687693AEB4BA67AB7EFB3A2CD711D375B630A760D8C379A10986AAFE1DE66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078729Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078728Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078727Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078726Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078725Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078724Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078723Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:44.514{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076318Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:45.861{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D25558FE74EC5ADA1869C8C00A74DE,SHA256=3493F1117F9153D09EE31CFD5699A393C14C27B7538EB467DD1B9BE2BC920316,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078733Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:45.733{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078732Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:45.733{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CABC511CECDC50C2D850860FD000D88,SHA256=AB61633AD227720791733D11BF224EA129269680188C58FBC186CA576BC6ED19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076317Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:42.850{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse167.172.181.15610.ent.x64.eval.us-english.gz-s-8vcpu-16gb-fra1-0150936-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000076320Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:46.877{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF69A3F42CD51BCAB6859773C1DB89D,SHA256=8CB8E7D68F27298B9A8006AC6378D1B188F1F97115F5477E8E34C0A260C9156E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078735Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:46.748{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078734Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:46.748{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A652BDF61F0C1B44EBE12DDEE559825,SHA256=2E18FB7CEEAC9DC72A3BB37DCC2BB5D084BAA3740CF54BA4E44D28893BDCB36F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076319Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:44.397{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078737Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:47.764{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078736Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:47.764{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297AEB2EB44EBA75BCE2BA77C98E7D01,SHA256=2E9E56BD9EACE45D6616DA6AB8D326F2CBADEF2F64D97DD7A0F3C1AA072BFF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076321Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:47.892{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F02A5B055AD3CC30D3AE9993B6EEBD,SHA256=6A3029D6A07D1605EB38349A1A07D0CDFAEAFB638624D0E04687F9C00A87523D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078739Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:48.779{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078738Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:48.779{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E24A42DD3BD0AAF5F8A6DD0A0CCDFE0,SHA256=0B4E6F85BD0F83D6B30EF8DC7D9CDF2727C613F88B109328ACF6BCA7D0E5B26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076324Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:48.939{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDA28EC5CC808A56A800BC6020FC22E,SHA256=4FD70C9AC03415D46D3EABD0875B831E03F3DDB0583FE3AB2B09A50A16A1BAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076323Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:48.611{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3511F82169755DD30ED64C74ADBFD6C,SHA256=FFC78366EB1137724ADA368C7F5AB45B05AEE013416995CAF4C2C866C229A032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076322Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:48.611{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFBCAAF2CFB9D9421B28CBE207EA5601,SHA256=D70797B7A1CC3ABD1E3DE8325DA2E1009917FD4BFC562F93CA2EB419E806C696,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078741Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:49.795{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078740Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:49.795{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBB6040056FF741E9EE45B44CD338EA,SHA256=B8BA671500AD5A545F408792D1324C5012C4CB1F4D7DD475C75C11C10D6A2FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076325Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:49.971{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFC49CBD979A81AFBA0BE67CC488ECF,SHA256=96C3D873B1452655C3AC00B64B300F6F113B70BC103C30F814E366E7A104B0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076326Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:50.986{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B82830DE6E87A58BD12D30CCE634CF,SHA256=6E6452C163A2A2A4AC74A9615AF665874B404718E91A9F0F31912FD4AF43ABD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078753Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:47.848{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078752Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078751Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71E11679BBF33864E97F0F8148CF1FB,SHA256=477D4201400C3413329A067C49234F3CB146849891F4FCE69DDA07B477EA0E75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078750Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.451{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000078749Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.451{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078748Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078747Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078746Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078745Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078744Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-FC3B-60B9-2105-00000000C501}30322012C:\Windows\system32\csrss.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078743Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.358{3F3E08E7-37D3-60BA-120D-00000000C501}25083204C:\Windows\system32\cmd.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078742Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.372{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe-----conti.exe -m local -log CONTI_LOG.TXT -nomutexC:\Temp\test\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=F49B9F0D5AEFAA1F6431C18774B83553,SHA256=59A9F0DE96EFF57768E995B296AE75778A232F30D95A7B7AB5048C621B50C66D,IMPHASH=165166DAF912EEEDE18349A7B86B5288{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp\test" 354300x800000000000000078760Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:50.191{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000078759Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078758Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.811{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1637B1DAC38AB78E71CAF09C5C613A90,SHA256=BF2DFBD4AD4D6A210433B3BD1F65BB9F9CC59B30198A28BC567550C4EC751FD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076327Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:49.412{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078757Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.404{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078756Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.404{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329EF0680B73FB688E7A07DC72B3B551,SHA256=F9546CD7FF8519DCFABAE724C929C7B4B4E3C8650F977AD2504017D242F28F15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078755Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.404{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078754Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:51.404{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=507679A227AA91DFFDCAF8CE95538F67,SHA256=5F42F153A3C608641C695D873A5C37E5A4C66BCA6750314DB3E7986BE640EF26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078762Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:52.826{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078761Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:52.826{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290ACC000638CA64C943F27FD5FD796E,SHA256=DDDF86ADD8AE4B6A2486EE8C6FECD18505690C99A84AD90D1019EF08E4193EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076328Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:52.033{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80FA8FD6969B64D03683B411E01DC20,SHA256=7AA86A88A94E43D86BAB176952C86901757662F8A66F5ABE5DD3F2A84E555DFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078764Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:53.842{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078763Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:53.842{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B178A04972B4F18D64152EC143CB8C73,SHA256=369B1A74565C0BF92F4E79B603E33A99BF706CCE05F8BE85589A185007D7478F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076329Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:53.049{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A8C43A39CF44858635106455562BF,SHA256=50A0E857F8AA2B22F000F030F1E74D04ED2BEEBC875CA17AC202A5ED50B3AD33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078766Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:54.858{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078765Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:54.858{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6F64A1C3F05B669C7ACC628FDFF130,SHA256=783BEC4E4CA436BFAAED221881ADB6F72AF180DEEC06B140860C9ECD6D43FE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076330Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:54.111{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81AAA36F76437A19408A783CE53FE3E,SHA256=76E004025B8D5303886A376F482C3FA8AFDAA2DBB2B46855526447652BD029A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078768Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:55.873{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078767Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:55.873{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DDE475690CAC69CD3AAA8A0DBF49E9,SHA256=5F9EE71C8147FAE0340990F8253CDDEA3C9F6CD8662A7BF4B0CEF72038578DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076332Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:55.517{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FB7C373830B2AFEFFC7B0FF6734187F,SHA256=E906F1B0695CFFAAC2905009AE9AF51C40C38EBAD0089650F125F21D3136443C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076331Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:55.158{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165D121CC4D9FD9BE8160453311310EF,SHA256=D765F75C7DC62A5FD47405384C1ED4C5F13728852DA379F20B7A6FA23388C7A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078771Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:56.873{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078770Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:56.873{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2411C31F935F2C96856B5467AE792CA3,SHA256=C9435A86E0C789688D424EE314D350D1D28C148364276560AEFA4EDFF82DD381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076333Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:56.174{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC61362CC8E597964683B1CDA5C310C,SHA256=CFBBE66651B14DC131BDE7F2025BD898EC10DC341B11B7852F663C460C66E9C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078769Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:53.879{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078773Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:57.889{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078772Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:57.889{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8A8A75FB837D1459253D897FF6E751,SHA256=EC9AE9465D0109CE8211EAE66F32FF824DEC1734F1B23F6D515D9E9EF05465C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076335Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:55.209{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076334Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:57.236{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885FD39A4A788177E0747D5EC52C17B2,SHA256=4AC15FBD6899209D6859EC8A56960077FAB3C89434648A8337CF8B4CBD58F5F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078775Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:58.905{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078774Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:58.905{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078953C8C6DCED317728DC5D97D88E28,SHA256=F19C89CCECBD19F802BA6BFD95569FF8FC750CF29C4E6C71CDA0CBDEA5D0C3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076336Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:58.236{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1551B916356829BC960BC48E6F1D71F,SHA256=4F42829870A6B1566E7446906A4CF992CB2453BA1A74D8D61CFBD61CCC902A5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078843Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.909{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078842Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.909{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7265FCC20903CEC0354036BE333F17F6,SHA256=284999270AF044927EFB291CD1D2B5D00BBB632DBA0CCBE5F4AE16A47CDEF87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076337Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:27:59.252{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB567D91278D14D64FB3982B4304DCE0,SHA256=3672242D0E60BD0910C44ACD12757A46D7EF9DB44E2B2CCACB01868BB35EAD2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078841Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.690{3F3E08E7-FC3D-60B9-2F05-00000000C501}37522884C:\Windows\system32\taskhostw.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078840Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078839Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078838Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078837Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078836Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078835Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078834Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.644{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078833Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078832Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078831Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078830Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078829Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078828Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.628{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC278930B17E440BA8EA5B38A738ECB,SHA256=CDD6284F954016C1A4CA7E6E52B3F7F886AD85CD175045ED693CB02B313BDFEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078827Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.597{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078826Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.597{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078825Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.581{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078824Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.581{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078823Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.561{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3f183(wow64)|C:\Windows\System32\wer.dll+3f554(wow64)|C:\Windows\System32\wer.dll+3fd87(wow64)|C:\Windows\System32\wer.dll+20515(wow64)|C:\Windows\System32\wer.dll+156d1(wow64)|C:\Windows\System32\faultrep.dll+107dc(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 11241100x800000000000000078822Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.561{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\f1995070-a77c-4d9d-8978-7d57f05107f32021-06-04 14:27:59.561 11241100x800000000000000078821Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.561{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\3380f289-1a9a-41b8-9765-ece892b792362021-06-04 14:27:59.561 11241100x800000000000000078820Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.561{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\f2ccf4e6-f93e-4c71-a21c-a455ab9de1ea2021-06-04 14:27:59.561 10341000x800000000000000078819Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.545{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+330cb(wow64)|C:\Windows\System32\wer.dll+24973(wow64)|C:\Windows\System32\wer.dll+15779(wow64)|C:\Windows\System32\faultrep.dll+106c0(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078818Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.545{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 10341000x800000000000000078817Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.529{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+15715(wow64)|C:\Windows\System32\faultrep.dll+f09b(wow64)|C:\Windows\System32\faultrep.dll+10555(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64) 11241100x800000000000000078816Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000078815Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C6D4DEC9BE9894C89D8D87836C4B4E34,SHA256=111E4CDD825E9142CB02A4BBC97D6BB45C921C36559EC368B0A6987AD1AA7469,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078814Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000078813Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.483{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2925FDCDA498C07162E5A06EE7F5A788,SHA256=AB1A28DDA667046C108A2050E6E4C6B88C4BB21894756D18E5F477A31C138765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078812Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.483{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+1a9b6(wow64)|C:\Windows\System32\faultrep.dll+1ab65(wow64)|C:\Windows\System32\faultrep.dll+1a16b(wow64)|C:\Windows\System32\faultrep.dll+10171(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078811Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078810Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078809Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078808Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078807Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078806Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078805Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078804Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078803Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-F094-60B9-1400-00000000C501}8842340C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078802Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.451{3F3E08E7-F094-60B9-1400-00000000C501}8841080C:\Windows\system32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078801Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.436{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078800Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.436{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000078799Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.436{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\60325777-e653-48e8-9ab6-58a1c5d8478c2021-06-04 14:27:59.436 10341000x800000000000000078798Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.404{3F3E08E7-FC3B-60B9-2105-00000000C501}30324004C:\Windows\system32\csrss.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078797Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078796Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078795Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078794Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078793Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078792Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078791Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.400{3F3E08E7-386F-60BA-2D0D-00000000C501}1372C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 604C:\Windows\system32\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB,IMPHASH=CABB1BD9C8861200DB46B24A4934E8E8{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.execonti.exe -m local -log CONTI_LOG.TXT -nomutex 10341000x800000000000000078790Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078789Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078788Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\74eb2aa0-9cd0-44db-a1d3-9b94a98b56bc2021-06-04 14:27:59.389 10341000x800000000000000078787Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078786Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078785Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078784Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.389{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\2cda4c6d-7091-4d54-b907-870341776ec32021-06-04 14:27:59.389 10341000x800000000000000078783Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.373{3F3E08E7-F094-60B9-0A00-00000000C501}6243836C:\Windows\system32\services.exe{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078782Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.373{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078781Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.373{3F3E08E7-F094-60B9-0A00-00000000C501}6244696C:\Windows\system32\services.exe{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078780Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.358{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078779Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.358{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078778Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.358{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078777Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.358{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078776Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:59.358{3F3E08E7-3866-60BA-2A0D-00000000C501}5843196C:\Temp\test\conti.exe{3F3E08E7-386F-60BA-2B0D-00000000C501}3188C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ef6c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ece62(wow64)|C:\Windows\SYSTEM32\ntdll.dll+af22a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ae692(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ae2da(wow64)|C:\Windows\SYSTEM32\ntdll.dll+9cb1a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+601c2(wow64)|C:\Windows\SYSTEM32\ntdll.dll+70dbf(wow64)|C:\Temp\test\conti.exe+184a4|C:\Temp\test\conti.exe+1d455|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000078853Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.925{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078852Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.925{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5599D9B775F1D3ECD0F39051B5C69A70,SHA256=632F0DD94E4428854641CACEC1B5DCD370503D2AF05D9183766333E52DF14E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076338Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:00.288{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323B8E929B91C5B11C19829F4B1CDCFB,SHA256=46DC03A541A84342D3F840E70B58C637BF0E072982B4F9A17A7B95D1AC39E5F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078851Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.550{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078850Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.550{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF52914429D2A50D70F50A7C24A7B5,SHA256=5642810A8A0A131BAA35E9F340FB058B019F35B32EDF4FEF5771393AB3FC7DA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078849Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.550{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078848Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.550{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329EF0680B73FB688E7A07DC72B3B551,SHA256=F9546CD7FF8519DCFABAE724C929C7B4B4E3C8650F977AD2504017D242F28F15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078847Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.534{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000078846Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.534{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FEADA99E3AEBF88D86514069EEF5F6F,SHA256=C3470163F21605BA50C1476C2CD963A9C4EA8280D06905EB231ABAEB41934EE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078845Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.534{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000078844Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:00.534{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E2D3CAC60B6F0B1A1A6E484DDA71F97D,SHA256=823E4784B1041EA0DC861D1B14D66D3CE4A6B0C5551A3B4BC273237F575C876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076339Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:01.303{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F49D4D0A58D3B3217386ABCAD8EF51,SHA256=A359CAA1D91E18DF265BF8C915115A3C8738D711CEF818A2388A7984A226BF5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078856Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:01.940{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078855Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:01.940{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D16CF66D6C40174810E047C0ED72AC,SHA256=7EDEA8CFB691D5F6011ED5E640E533720B47238CFC57F0B1BA87B2937404FDED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078854Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:27:58.910{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000078925Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.315{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078924Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.315{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078923Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.315{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078922Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.315{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078921Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.315{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078920Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078919Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9523500C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078918Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078917Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078916Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078915Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.300{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078914Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.269{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078913Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.269{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078912Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.269{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078911Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078910Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3f183(wow64)|C:\Windows\System32\wer.dll+3f554(wow64)|C:\Windows\System32\wer.dll+3fd87(wow64)|C:\Windows\System32\wer.dll+20515(wow64)|C:\Windows\System32\wer.dll+156d1(wow64)|C:\Windows\System32\faultrep.dll+107dc(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 11241100x800000000000000078909Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\10b6c0a0-61cd-49d4-a196-e970c52bbc682021-06-04 14:28:02.253 11241100x800000000000000078908Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078907Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F9E52A4D9FF1E7522E4F497C4E0DE7,SHA256=DD6D85EBC5F0515209FC0EF34945326DCC95A1F7DEC1B6F9E0BC86C0321575A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078906Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\776fb8c2-d9f3-491f-8c24-3afed0c2bb2c2021-06-04 14:28:02.253 11241100x800000000000000078905Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\be67d9fb-8e10-4fed-a52a-39749a5242fc2021-06-04 14:28:02.253 10341000x800000000000000078904Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.253{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+330cb(wow64)|C:\Windows\System32\wer.dll+24973(wow64)|C:\Windows\System32\wer.dll+15779(wow64)|C:\Windows\System32\faultrep.dll+106c0(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078903Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.237{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 10341000x800000000000000078902Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.222{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+15715(wow64)|C:\Windows\System32\faultrep.dll+f09b(wow64)|C:\Windows\System32\faultrep.dll+10555(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64) 11241100x800000000000000078901Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.222{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000078900Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.222{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C6D4DEC9BE9894C89D8D87836C4B4E34,SHA256=111E4CDD825E9142CB02A4BBC97D6BB45C921C36559EC368B0A6987AD1AA7469,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078899Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.222{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+1a9b6(wow64)|C:\Windows\System32\faultrep.dll+1ab65(wow64)|C:\Windows\System32\faultrep.dll+1a16b(wow64)|C:\Windows\System32\faultrep.dll+10171(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078898Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000076341Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:00.214{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076340Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:02.335{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90C511DAABCF408419F240CE3698281,SHA256=181EDEE551E8B25621696C6EB2C884274534A48AE52FE4DE6D6ABACDE59B0D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078897Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eed70(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eec38(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ed03a(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000078896Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eed70(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eec38(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ed03a(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000078895Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eed70(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eec38(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ed03a(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000078894Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eed70(wow64)|C:\Windows\SYSTEM32\ntdll.dll+eec38(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ed03a(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000078893Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee53c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee928(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee31c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ecf86(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078892Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee53c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee928(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee31c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ecf86(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078891Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee53c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee928(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee26c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ecf86(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078890Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee53c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee928(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ee26c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ecf86(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000078889Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.206{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3872-60BA-2F0D-00000000C501}2724C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ef6c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ece62(wow64)|C:\Windows\System32\KERNELBASE.dll+138efb(wow64)|C:\Windows\System32\faultrep.dll+e09b(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078888Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078887Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078886Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078885Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-F094-60B9-1400-00000000C501}8842340C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078884Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-F094-60B9-1400-00000000C501}8841080C:\Windows\system32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078883Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078882Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}16081812C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000078881Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.190{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3f6a058c-95b5-43d3-9d2a-641096b6309d2021-06-04 14:28:02.190 10341000x800000000000000078880Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-FC3B-60B9-2105-00000000C501}30324004C:\Windows\system32\csrss.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078879Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078878Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078877Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078876Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078875Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078874Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078873Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.175{3F3E08E7-3872-60BA-2E0D-00000000C501}1608C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 596C:\Windows\system32\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB,IMPHASH=CABB1BD9C8861200DB46B24A4934E8E8{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.execonti.exe -m local -log CONTI_LOG.TXT -nomutex 11241100x800000000000000078872Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2C0D-00000000C501}5700C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\7ef6500f-106f-4e36-8ed1-282820b3a8602021-06-04 14:28:02.159 10341000x800000000000000078871Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078870Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078869Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078868Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2C0D-00000000C501}57003572C:\Windows\System32\svchost.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078867Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078866Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078865Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078864Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-386F-60BA-2D0D-00000000C501}13723140C:\Windows\SysWOW64\WerFault.exe{3F3E08E7-3866-60BA-2A0D-00000000C501}584C:\Temp\test\conti.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000078863Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078862Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078861Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078860Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078859Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078858Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078857Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:02.159{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078936Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.409{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078935Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.409{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620B00B93056B0AC85AC8E073744DB0F,SHA256=AA953F214D5890715409F716A1904A8DF1A2F5DD58635C01EB3E76A03550D192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078934Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078933Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078932Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9521640C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078931Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078930Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078929Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078928Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.237{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-37D3-60BA-130D-00000000C501}1828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078927Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.175{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078926Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:03.175{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF52914429D2A50D70F50A7C24A7B5,SHA256=5642810A8A0A131BAA35E9F340FB058B019F35B32EDF4FEF5771393AB3FC7DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076342Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:03.350{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A2D2A9E03FF6530D886F74C3FCCBA8,SHA256=D4F35360E5363ADE0594E0986E0F7CC9143929D9BB413516390494FABEC7A573,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078940Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:04.409{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000078939Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:04.409{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FEADA99E3AEBF88D86514069EEF5F6F,SHA256=C3470163F21605BA50C1476C2CD963A9C4EA8280D06905EB231ABAEB41934EE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078938Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:04.190{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078937Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:04.190{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C169D8539836940BF189D65D9AFADA,SHA256=6C2A0F3DF30251C611E215A32A75C8ED28EBE9C59D7432FDECBFF574A05EC832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076343Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:04.382{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D89886D5369C9E41C94BFE5AB3F6F,SHA256=ED71E8E8FD69DCD9A1F6383700DCB9F662760C45183B08C9180FBBF9160F4348,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078942Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:05.425{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078941Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:05.425{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A54E7BC280235E518250A50421CE73,SHA256=83CC0912D3A9ACB0D94D9D88C8E1F92277B07B116048E5192ABBA4B9C46F3E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076344Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:05.413{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D916BEE0514D3C49DABDDEDC507651E3,SHA256=C106212A155581738610F9EE6624B22FABB574D265BB527AD59A0F9AE75D0294,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078944Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:06.440{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078943Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:06.440{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F698C8A49481BA27755713B7349C8C,SHA256=819508D6D1ED5C11B2C04B67A1A843398349F0F34DEE97C4C2B4EC91FD1566D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076345Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:06.428{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7658E18475FB4B6E967AA44B95EE3FFE,SHA256=BD184F91C98C9F57DF98230DDC7D38D1480FCD4DEE6A0C5CEE9EEDD5F58D8FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076347Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:07.444{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104320CA3879B7B68F1A32125DB4673,SHA256=EADF1E7228B524231276C557D59E444257DA3E09FC973A0A8078067AC675FC8D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078947Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:07.581{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078946Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:07.581{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE5FC0B1262C91D197EC2FA9085E0A,SHA256=B466257BC763CBBA8D5692E2B81BB19FBBD6BB2C84870CD4AB44606711270B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078945Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:04.758{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000076346Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:04.650{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse159.89.104.24810.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0165297-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000076349Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:08.663{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B087D62D8E830D0826F81AEF04821410,SHA256=13FD052DCBE8B8CF3561DD02956BBC25A6B685CD429131B52D2ABFD17F07EBB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078949Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:08.597{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078948Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:08.597{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8BC00CC7229DD63F689C5F96C83B82,SHA256=A43EE4B498FF62139724DDF18C4B8DBF9D38C49314F07909B8EBD1DDB5A71EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076348Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:05.229{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076350Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:09.866{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A74CFAD68AEEE9DF2622EB4BBBB44B,SHA256=68009246BA984BF1CBB2AF4CF894ECCB4C435C4F165DFB46C81C6FB9C4180F3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078951Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:09.737{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078950Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:09.737{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50677F14D7F3EA5AEF0E9E27201F9468,SHA256=05095CB3F30FC80F3B91DFF46B9E718C28118471B5291CF60FE96F7A0A230E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076351Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:10.882{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EE0AB81C64F55F8224181DD814E8B1,SHA256=5427B3DF7FD853340B8980D84F5F9F690E0A4E5E60F73561C32289704E5F8A8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078953Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:10.894{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078952Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:10.894{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515DD40EC41C9990F9E1B71A83D1AC0B,SHA256=2D9D10A330D58900DCEAD7510FD729EDA7EF474538A0BC1FDC829AB37A2C785A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076354Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:11.913{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8755711B8A9A315D5F40696BB33C6D,SHA256=C0919D1F60EE7054299E20C6B0B94967F72A575E8E39071005540F242A06A4E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078956Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:11.909{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078955Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:11.909{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B9F1BF12D62C6DB218D26B4D8D0CF2,SHA256=CE923F100053261034288B0158D2BE5AE4D57E112BAEDC9BD797AEE9FFEFB415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076353Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:11.147{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A5D5E0FC0DA7279F81A6D5C5C2505CA,SHA256=2970062608308B201179147E5CB63E9DE669550F7A13643F40F1F1F0D69EBE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076352Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:11.147{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3511F82169755DD30ED64C74ADBFD6C,SHA256=FFC78366EB1137724ADA368C7F5AB45B05AEE013416995CAF4C2C866C229A032,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078954Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:09.977{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076355Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:12.960{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F1611125D26258F19C8C10BAAD724,SHA256=59D9E22E4A00894D0B8FB3010D02E3D14910B0DAF89104F6B07B355E216ACDC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078958Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:12.925{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078957Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:12.925{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503B194CA93A33AD15BA5ED492A3456B,SHA256=6A957A655611650447B1EDD4118ED6683874A621A973E1E9EC9200E134BA7AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076357Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:13.975{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B724FD275D3977209885CF3C6FCF5389,SHA256=FA346B504A57B40DE83D2BED05229701F7719E6BF5C8397F11AC57512D3E2AE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076356Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:11.261{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076359Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:14.991{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26C44BFBC3F3AF1A8678D639CD91F2E,SHA256=ADD56E7AEB91BC3F887BE39D88FFA5C99CEA2AA33EA8E1E781B91B3547E60FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076358Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:14.350{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078960Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:14.081{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078959Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:14.081{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A204DA0C7C3C94F0216A97DD55418BE,SHA256=1A850A5059749D5CA1C43D7B5A5AEEA986740EDE99B2D1B021D9D467660C3E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078969Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078968Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078967Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078966Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078965Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-FC3B-60B9-2105-00000000C501}3032948C:\Windows\system32\csrss.exe{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078964Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.753{3F3E08E7-37D3-60BA-120D-00000000C501}25083204C:\Windows\system32\cmd.exe{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000078963Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.754{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe-----conti.exe -m net -log CONTI_LOG2.TXT -nomutexC:\Temp\test\WIN-HOST-243\Administrator{3F3E08E7-FC3D-60B9-9E4C-2D0000000000}0x2d4c9e2HighMD5=F49B9F0D5AEFAA1F6431C18774B83553,SHA256=59A9F0DE96EFF57768E995B296AE75778A232F30D95A7B7AB5048C621B50C66D,IMPHASH=165166DAF912EEEDE18349A7B86B5288{3F3E08E7-37D3-60BA-120D-00000000C501}2508C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp\test" 11241100x800000000000000078962Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.081{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078961Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:15.081{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA6892D80FBA8183ECB7E8B475C8302,SHA256=9B9529C50DE420DC59E81F53AE021C0464620B50601D6B2AA0D3C439DBA585E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076361Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:13.511{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000076360Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:16.038{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2126F9D45B33FE562C8B7A873FE42F70,SHA256=DF158A214DD84E565DC37442F7696F0ABEC68A8B757D4153D55D2BBDC7F21063,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078976Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.800{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078975Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.800{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D698D7D5534069E4EA24968242826A4,SHA256=DB9602E99D891DDD78F749227FE38F3AA761E86120F618EAF5D763275A900E38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078974Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.800{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000078973Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.800{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE4158B8ED393D297DB131F295FD84B,SHA256=5579E2BE8D84C015FE73263B7DEC5ED13542C929ABAD80890546A69EB2ADAF27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078972Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:14.977{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000078971Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.097{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078970Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:16.097{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B56342CE54A90F6C56D72A181B38931,SHA256=2A5177CF9F3DD9E056C538FC8466DDF89A827B919973622B3F6D0FA2BF331D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076362Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:17.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18692AB2FAD096B22AFB7824B29FF2A9,SHA256=77DD4E62C044D4904A6D7546C0E843FEA77A19DBBCEB8E401AC123952DA563DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078978Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:17.112{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078977Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:17.112{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2479150B645B04A3B723961E3EF0A910,SHA256=D414A8D60CB5A304865AA941CA964ED6FAE0487DF4D7E6A72AC15E5EB2062E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076363Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:18.288{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBB64275E87CC138BF88A4B58948C25,SHA256=FB2A26C8F7E8A6E49CC0C51384195F25757647BB77371A863D1114047D003771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078980Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:18.112{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078979Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:18.112{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4EE8F87CE9EB27DE9AFF9E5BB3A32D,SHA256=93294C54FA3EEC1CBBD28FE911EEE7162A9EC60DB3C43F5FA1610132F3F04919,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076378Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:17.260{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000076377Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3883-60BA-F10D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076376Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076375Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076374Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076373Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076372Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076371Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076370Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076369Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076368Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076367Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3883-60BA-F10D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076366Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.698{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3883-60BA-F10D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076365Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.699{89999F75-3883-60BA-F10D-00000000C401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076364Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:19.303{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84C5E00D1B7A8296BA18FD2AF1DCF74,SHA256=1BEB8E1EE44E0B5C2AC03B8A72828F8ED4A215C4AD4A68BC462DD7621DE33CE1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078982Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:19.128{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078981Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:19.128{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7A1BDDCC2F6A0E625E67DE24212278,SHA256=095D40B075704CFD019A22763539F8BB7FF8CBB6560269DCB0BC599631CC5F1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078984Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:20.163{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078983Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:20.163{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA5869A89524F834CD54789F946AC3,SHA256=D5DD1226F83CB323022F529EE83D4EACBE95288525DE1F294A0160096BA55165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076394Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.698{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD0E730FCE78D91D9D7C0526A18D2F59,SHA256=EB68518DD818147BC9ACF7ABAF5B1F3CB8E1546C570B72336514EA97F1A553A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076393Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.698{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A5D5E0FC0DA7279F81A6D5C5C2505CA,SHA256=2970062608308B201179147E5CB63E9DE669550F7A13643F40F1F1F0D69EBE42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076392Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3884-60BA-F20D-00000000C401}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076391Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076390Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076389Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076388Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076387Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076386Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076385Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076384Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076383Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076382Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-3884-60BA-F20D-00000000C401}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076381Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3884-60BA-F20D-00000000C401}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076380Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.370{89999F75-3884-60BA-F20D-00000000C401}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076379Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:20.307{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6195E1966BDC84C657B5F05A430B99,SHA256=E0D993BB70D18289EA3AF27B90049F558D0DE4728B86476BA8A80336DC1E0930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076422Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3885-60BA-F40D-00000000C401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076421Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076420Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076419Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076418Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076417Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076416Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076415Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076414Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076413Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076412Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3885-60BA-F40D-00000000C401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076411Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.838{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3885-60BA-F40D-00000000C401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076410Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.839{89999F75-3885-60BA-F40D-00000000C401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076409Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.338{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857665799F7A34DA7D3850617FA6D91F,SHA256=42CCFBBA04F10EA1237EA699650DB6D1D5FBC11905AED72FF14611A89AB59A21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076408Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.323{89999F75-3885-60BA-F30D-00000000C401}19561140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078986Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:21.210{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078985Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:21.210{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EADC4448AFECAFA0E84AD7C7847F4C7,SHA256=BD7A6701882A08E247B058E9ABD5364C608F184CB04FFF42CD17C54D1A67ED26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076407Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3885-60BA-F30D-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076406Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076405Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076404Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076403Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076402Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076401Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076400Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076399Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076398Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076397Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3885-60BA-F30D-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076396Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3885-60BA-F30D-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076395Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:21.042{89999F75-3885-60BA-F30D-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076439Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.573{89999F75-3886-60BA-F50D-00000000C401}37643616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076438Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3886-60BA-F50D-00000000C401}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076437Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076436Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076435Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076434Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076433Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076432Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076431Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076430Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076429Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3886-60BA-F50D-00000000C401}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076428Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076427Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.354{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3886-60BA-F50D-00000000C401}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076426Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.355{89999F75-3886-60BA-F50D-00000000C401}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076425Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.323{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB3836F5EEE44B901D17B78B98D8A76,SHA256=6F6CDCC45F074C8A13BB5974C31803D0CFEBDF515A3A90F4E25828FB731EB5E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078988Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:22.226{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078987Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:22.226{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D82B89E909A5BEE4C8F2CA88DE58E20,SHA256=F137C134772EFA470FBA6F280781CE67E6235B0E91394953C6C8A8742AD01CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076424Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.073{89999F75-3885-60BA-F40D-00000000C401}18762012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076423Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:22.057{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD0E730FCE78D91D9D7C0526A18D2F59,SHA256=EB68518DD818147BC9ACF7ABAF5B1F3CB8E1546C570B72336514EA97F1A553A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076441Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:23.573{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A79A8DC5F3D8A2997D5107DE34CC10,SHA256=2EA9F90DFF92484EDB477A610F556F0E67624E38200D2C8D58640EC0E8FEB2D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076440Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:23.338{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBD6D6875AD4A436E122C6B6FE7BBF4,SHA256=D69767619603B7B6965A5569BA6132A4AD2C69D134405FA0235E93438720D043,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000078991Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:23.242{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078990Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:23.242{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3B78CC3C86CDF87B1E474297E0FEA8,SHA256=331C41550D35EEFDD3B320EEBF4CC16ADD0B77E86C526F7A710E171DFEA76F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078989Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:20.762{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000076455Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3888-60BA-F60D-00000000C401}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076454Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076453Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076452Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076451Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076450Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076449Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076448Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076447Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076446Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076445Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-3888-60BA-F60D-00000000C401}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076444Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.588{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3888-60BA-F60D-00000000C401}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076443Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.589{89999F75-3888-60BA-F60D-00000000C401}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076442Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.338{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B0C79CF89ABF1C78DFEA49E57CEDB5,SHA256=680569611EB5A8E6F44BA766667ADF56B2F979B9BE01EEC452E8B5340B4C6FC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079037Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.945{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079036Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.945{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026E0CB67688732533B98647D512D2C7,SHA256=1FEF721495FCCEDF87D28156D916B9CC9BB02840CDADE20AC707AFC187741310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079035Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-330D-00000000C501}3840C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079034Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-1500-00000000C501}1001604C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000079033Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079032Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079031Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-1500-00000000C501}1001604C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000079030Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079029Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079028Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-1500-00000000C501}1001604C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000079027Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079026Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079025Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.788{3F3E08E7-F094-60B9-1500-00000000C501}1001604C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000079024Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.773{3F3E08E7-F094-60B9-0A00-00000000C501}6244696C:\Windows\system32\services.exe{3F3E08E7-3888-60BA-330D-00000000C501}3840C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079023Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.773{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3888-60BA-330D-00000000C501}3840C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079022Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0A00-00000000C501}6243836C:\Windows\system32\services.exe{3F3E08E7-3888-60BA-330D-00000000C501}3840C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079021Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079020Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079019Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079018Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079017Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079016Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0B00-00000000C501}6323052C:\Windows\system32\lsass.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079015Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.757{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079014Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0A00-00000000C501}6243836C:\Windows\system32\services.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079013Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079012Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079011Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079010Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079009Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079008Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0A00-00000000C501}6244696C:\Windows\system32\services.exe{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079007Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.745{3F3E08E7-3888-60BA-320D-00000000C501}2992C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000079006Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079005Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079004Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079003Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.741{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-0A00-00000000C501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079002Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.726{3F3E08E7-F094-60B9-1400-00000000C501}8845532C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-310D-00000000C501}5744C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079001Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.710{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-310D-00000000C501}5744C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079000Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3888-60BA-310D-00000000C501}5744C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078999Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-3888-60BA-310D-00000000C501}5744C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078998Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078997Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078996Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F094-60B9-0B00-00000000C501}6324296C:\Windows\system32\lsass.exe{3F3E08E7-F094-60B9-1400-00000000C501}884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078995Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.695{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000078994Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.679{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exeC:\Temp\test\CONTI_LOG2.TXT2021-06-04 14:28:24.679 11241100x800000000000000078993Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.257{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000078992Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.257{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AD3FA5C50CA6A2C966AA0351F951C4,SHA256=590B2490DA6BA2D46D3434F63960707FE0AEA086473DC933BF503CD9DADA912A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076472Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.590{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359D16D3579D01B535C1B384C94424F8,SHA256=69FFE65A3729AC1F082B8A5F39C267E5E845A33FD028788E90259C3B904B9AEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076471Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.465{89999F75-3889-60BA-F70D-00000000C401}47241336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076470Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:23.264{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076469Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.355{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A0DFD9A0330A3AEB114062115C4CC5,SHA256=50E72130DDD43FC5BFCB7863683A22ACA2779A51C6776600EA98A55FC66E09DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079047Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.757{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000079046Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.757{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEE5B3A6AFEDC11D99449CC1B8601739,SHA256=0233169A10ED6369B971544B1BFA14106BF91C0B3CBC807E431DE3052DDA82DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079045Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.757{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000079044Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.757{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4DAFC66DB742B76AC4E578277167B1D,SHA256=A679ECC7BB6BC27E8D6A5AAA86D10F5F51AD203CF6E672E5D0E8DE61E86501A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079043Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.726{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079042Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.726{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2CF6E109E4A1DADC5948DF30F1274D1,SHA256=9FD99D08524EE109E325E1731912F7F47ACC635F75A162B7BF8DAF0978076E65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079041Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.726{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079040Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.726{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D698D7D5534069E4EA24968242826A4,SHA256=DB9602E99D891DDD78F749227FE38F3AA761E86120F618EAF5D763275A900E38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079039Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.288{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079038Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.288{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5AE6DC62F49CCE055CD3901837096A,SHA256=BE69E90016E1D5D3A17A20E08C3F064EDB2C54A5E7D8D0700B7A1ACD142566F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076468Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-3889-60BA-F70D-00000000C401}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076467Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076466Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076465Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076464Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076463Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076462Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076461Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076460Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076459Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076458Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-3889-60BA-F70D-00000000C401}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076457Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.269{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-3889-60BA-F70D-00000000C401}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076456Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.270{89999F75-3889-60BA-F70D-00000000C401}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000079053Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.601{3F3E08E7-387F-60BA-300D-00000000C501}1868win-host-243010.0.1.15;C:\Temp\test\conti.exe 11241100x800000000000000079052Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:26.320{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079051Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:26.320{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68464245150E7B361B59B0AE087D320,SHA256=55EB243F8F94CCF8E41255506E8C8D4038CC9BACB3EA8C74E1926BA9C582C4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076475Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:26.876{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=808024FF5CEC838C6847BD2C96D519FC,SHA256=EF4735FADE1EEB8066A6D54D673F929C194231AF70B5E53AF7A638C3F995407A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076474Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.044{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53615-false10.0.1.14win-dc-392.attackrange.local445microsoft-ds 23542300x800000000000000076473Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:26.374{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D22B8DA4926BCB9341F1C724FD2FA1,SHA256=FC48980758767CF78A70EE5D20D9198A3769BC3F9F5070A3DB231A8CB501EC92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079050Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.605{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exeWIN-HOST-243\Administratortcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53615-false10.0.1.14-445microsoft-ds 354300x800000000000000079049Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.605{3F3E08E7-F092-60B9-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15win-host-243.eu-central-1.compute.internal53616-false10.0.1.15win-host-243.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000079048Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:24.605{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exeWIN-HOST-243\Administratortcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53616-false10.0.1.15win-host-243.eu-central-1.compute.internal445microsoft-ds 11241100x800000000000000079060Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:27.382{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079059Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:27.382{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8E5E0981FCEBB4C746CA8B34BDD652,SHA256=18BF6B677C7B295EEE7CAFBC7CDC942AEB61BF1DBD52BA58A8BA89901936F135,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076482Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.062{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53859-false10.0.1.14win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000076481Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.062{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53858-false10.0.1.14win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000076480Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.061{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53857-false10.0.1.14win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000076479Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:25.053{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53856-false10.0.1.14win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000076478Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.469{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50691-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000076477Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:24.469{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50691-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 23542300x800000000000000076476Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:27.439{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D773760D326F21FFEA344995EDA7EE68,SHA256=6BD65843E5DA1D7C904172AE1FFA073A2FAFF4B9CAC9B75C73F1F76A8BCE1261,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079058Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.762{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000079057Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.623{3F3E08E7-F092-60B9-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53859-false10.0.1.14-445microsoft-ds 354300x800000000000000079056Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.622{3F3E08E7-F092-60B9-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53858-false10.0.1.14-445microsoft-ds 354300x800000000000000079055Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.622{3F3E08E7-F092-60B9-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53857-false10.0.1.14-445microsoft-ds 354300x800000000000000079054Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:25.613{3F3E08E7-F092-60B9-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53856-false10.0.1.14-445microsoft-ds 11241100x800000000000000079064Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:28.585{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079063Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:28.585{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5C337B807917554E0EE93B197C395C,SHA256=A00DB36052F2D7F1B6C5DB5F0FB60B48F88B2A84A1E8CF672379F965F4E33CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076483Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.486{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227F968D4FA334A6F23B638BF315112E,SHA256=D83D053FC42254C13C7A165F4280990A8AC7A62241BF418C41A4EAF5029AE587,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079062Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:28.429{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-06-04 09:22:24.815 23542300x800000000000000079061Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:28.429{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=22300F11E981B25780B75829C4909B62,SHA256=201104BCBA5F4C1A8555FD727D2DB36AB9AA679E0E88101B2DDFBE11FE0B5F39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079069Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.695{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079068Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.695{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0659D18FC0BCBF98BA020886D561FA55,SHA256=EBCB8266198934CF8C412FB6A946129ECE51C9F536F90AF5AAB4FEE178CC4D07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076502Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.955{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\readme.txt2021-06-04 14:28:29.955 11241100x800000000000000076501Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.955{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\DIFX\readme.txt2021-06-04 14:28:29.955 11241100x800000000000000076500Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.939{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\readme.txt2021-06-04 14:28:29.939 11241100x800000000000000076499Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.908{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\ansible\readme.txt2021-06-04 14:28:29.908 11241100x800000000000000076498Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.908{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\readme.txt2021-06-04 14:28:29.908 11241100x800000000000000076497Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.830{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\7-Zip\readme.txt2021-06-04 09:05:18.766 23542300x800000000000000076496Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.830{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\7-Zip\readme.txtMD5=D69960C6D80F05BDFC78BBE225C10696,SHA256=F91F9D8B06BB111226139874193D28295E77BF4F1C82F7762FD85BA39192E593,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076495Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.814{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\readme.txt2021-06-04 14:28:29.814 11241100x800000000000000076494Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.814{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Recovery\readme.txt2021-06-04 14:28:29.814 11241100x800000000000000076493Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.798{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\readme.txt2021-06-04 14:28:29.798 11241100x800000000000000076492Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.783{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\readme.txt2021-06-04 14:28:29.783 11241100x800000000000000076491Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.767{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\readme.txt2021-06-04 14:28:29.767 734700x800000000000000076490Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.705{89999F75-EEE0-60B9-2F00-00000000C401}3060C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 11241100x800000000000000076489Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.720{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\readme.txt2021-06-04 14:28:29.720 10341000x800000000000000076488Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.705{89999F75-EED0-60B9-1400-00000000C401}10681236C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076487Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.689{89999F75-EECE-60B9-0B00-00000000C401}6241248C:\Windows\system32\lsass.exe{89999F75-EEE0-60B9-2F00-00000000C401}3060C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076486Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.689{89999F75-EECE-60B9-0B00-00000000C401}6241248C:\Windows\system32\lsass.exe{89999F75-EEE0-60B9-2F00-00000000C401}3060C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076485Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:26.734{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse167.172.181.15610.ent.x64.eval.us-english.gz-s-8vcpu-16gb-fra1-0155838-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 23542300x800000000000000076484Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.501{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8843A288BD39CBC5E408F6537423C74,SHA256=F0D009719C4FD73D33CC399B6A28EB1F76FA9FFF102FCADFBC6EFBAC923A5B4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079067Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.226{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079066Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.226{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079065Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.226{3F3E08E7-F094-60B9-0C00-00000000C501}7284460C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1300-00000000C501}744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000079071Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:30.710{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079070Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:30.710{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D5343C569B65F196E2BA777ED72924,SHA256=9D9543219CD646AD50EB2355041A6A7E5C5489A596E1C5AC96CA14306693D6B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076533Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.971{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\7-Zip\Lang\readme.txt2021-06-04 14:28:30.971 11241100x800000000000000076532Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.955{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\readme.txt2021-06-04 14:28:30.955 23542300x800000000000000076531Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.939{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F5DA8779CD4FEE8C2AD9359359FB2C,SHA256=FFDD75A6C9C73E57E6C3833D8EAFE719614B0194CD54293733DBC1D44A49979B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076530Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:30.783{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\readme.txt2021-06-04 14:28:30.783 11241100x800000000000000076529Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.626{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\readme.txt2021-06-04 14:28:30.626 11241100x800000000000000076528Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.626{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\USOShared\readme.txt2021-06-04 14:28:30.626 11241100x800000000000000076527Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.626{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\USOPrivate\readme.txt2021-06-04 14:28:30.626 11241100x800000000000000076526Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.626{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\SoftwareDistribution\readme.txt2021-06-04 14:28:30.626 11241100x800000000000000076525Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.626{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\shimgen\readme.txt2021-06-04 14:28:30.626 11241100x800000000000000076524Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\regid.1991-06.com.microsoft\readme.txt2021-06-04 14:28:30.611 11241100x800000000000000076523Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\readme.txt2021-06-04 14:28:30.611 11241100x800000000000000076522Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Mozilla\readme.txt2021-06-04 14:28:30.611 11241100x800000000000000076521Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\readme.txt2021-06-04 14:28:30.611 11241100x800000000000000076520Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Comms\readme.txt2021-06-04 14:28:30.611 11241100x800000000000000076519Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.595{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\readme.txt2021-06-04 14:28:30.595 11241100x800000000000000076518Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.595{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\ansible\readme.txt2021-06-04 14:28:30.595 11241100x800000000000000076517Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.581{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\readme.txt2021-06-04 14:28:30.581 23542300x800000000000000076516Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.581{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154C57252DFE465DFA8BDC188D9172BD,SHA256=C74E6B8E4B6C5B594F6E4F497C28D09BF214C7D7AD04E36FC013CB44EE13914D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076515Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.581{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Uninstall Information\readme.txt2021-06-04 14:28:30.581 11241100x800000000000000076514Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.564{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Mozilla Maintenance Service\readme.txt2021-06-04 14:28:30.564 11241100x800000000000000076513Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.564{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Microsoft.NET\readme.txt2021-06-04 14:28:30.564 11241100x800000000000000076512Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.564{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Internet Explorer\readme.txt2021-06-04 14:28:30.564 11241100x800000000000000076511Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.548{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\readme.txt2021-06-04 14:28:30.548 11241100x800000000000000076510Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.548{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\readme.txt2021-06-04 14:28:30.548 11241100x800000000000000076509Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.548{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\readme.txt2021-06-04 14:28:30.548 11241100x800000000000000076508Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.548{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Uninstall Information\readme.txt2021-06-04 14:28:30.548 11241100x800000000000000076507Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.501{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\readme.txt2021-06-04 14:28:30.501 11241100x800000000000000076506Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.439{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\readme.txt2020-01-03 09:54:58.000 23542300x800000000000000076505Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.439{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Notepad++\readme.txtMD5=11B0A85DCD7045352F71E46D83DE6D7E,SHA256=BC661498305746C6DEACBEE301522F7C283566A804184E290481D3B57AF675B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076504Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.017{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\readme.txt2021-06-04 14:28:30.017 11241100x800000000000000076503Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:30.017{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Internet Explorer\readme.txt2021-06-04 14:28:30.017 11241100x800000000000000076558Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\browser\readme.txt2021-06-04 14:28:31.951 11241100x800000000000000076557Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Internet Explorer\SIGNUP\readme.txt2021-06-04 14:28:31.951 11241100x800000000000000076556Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Internet Explorer\images\readme.txt2021-06-04 14:28:31.935 11241100x800000000000000076555Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Internet Explorer\en-US\readme.txt2021-06-04 14:28:31.935 11241100x800000000000000076554Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\readme.txt2021-06-04 14:28:31.935 11241100x800000000000000076553Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\readme.txt2021-06-04 14:28:31.935 22542200x800000000000000076552Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.878{89999F75-EEE0-60B9-2F00-00000000C401}3060win-dc-392.attackrange.local0fe80::3c4a:8b18:68f0:a4d8;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 11241100x800000000000000079074Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:31.742{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079073Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:31.742{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2BD86D5FD5CC3CC6FE35F48B20AF26,SHA256=479DE4A530532AD120A8EE428C5545D649E0514D9387AB4B0316BC4306900DDC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000079072Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:29.454{3F3E08E7-F094-60B9-1700-00000000C501}1200_ldap._tcp.dc._msdcs.10.0.1.14.9003-C:\Windows\System32\svchost.exe 11241100x800000000000000076551Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.794{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\readme.txt2021-06-04 14:28:31.794 11241100x800000000000000076550Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.763{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\dev\readme.txt2021-06-04 14:28:31.763 11241100x800000000000000076549Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.747{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\cmd\readme.txt2021-06-04 14:28:31.747 11241100x800000000000000076548Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.747{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\bin\readme.txt2021-06-04 14:28:31.747 11241100x800000000000000076547Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.747{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\DIFX\23DAD9142B9E9A64\readme.txt2021-06-04 14:28:31.747 11241100x800000000000000076546Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.747{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\readme.txt2021-06-04 14:28:31.747 11241100x800000000000000076545Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.716{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\Services\readme.txt2021-06-04 14:28:31.716 11241100x800000000000000076544Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.716{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\readme.txt2021-06-04 14:28:31.716 11241100x800000000000000076543Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\ansible\sysmon\readme.txt2021-06-04 14:28:31.701 11241100x800000000000000076542Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.646{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\readme.txt2021-06-04 14:28:31.646 11241100x800000000000000076541Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.611{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\readme.txt2021-06-04 14:28:31.611 11241100x800000000000000076540Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:31.595{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\Hibernate\readme.txt2021-06-04 14:28:31.595 354300x800000000000000076539Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.895{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50693-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000076538Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.895{89999F75-EEE0-60B9-2F00-00000000C401}3060C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50693-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000076537Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.879{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-392.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60068- 354300x800000000000000076536Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.877{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50692-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000076535Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.877{89999F75-EEE0-60B9-2F00-00000000C401}3060C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50692-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000076534Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:28.875{89999F75-EEE0-60B9-2E00-00000000C401}3032C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-392.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62483- 11241100x800000000000000076576Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\bin\readme.txt2021-06-04 14:28:32.951 11241100x800000000000000076575Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\readme.txt2021-06-04 14:28:32.951 11241100x800000000000000076574Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\share\readme.txt2021-06-04 14:28:32.951 11241100x800000000000000076573Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.936{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\readme.txt2021-06-04 14:28:32.936 23542300x800000000000000076572Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.872{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733EA43A911E378EB6503731BFAB2F74,SHA256=215A74E20F477050BE15C4749BDECD3456D4985601FA6F2C12A777C240412986,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079076Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:32.788{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079075Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:32.788{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B20A56D68FC5919C2A31AAA6CAD252,SHA256=02CE481FE30527CA5BC9E3105BBA6BF75B62432549CCFDB5AC49215979011DF4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076571Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.841{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\readme.txt2021-06-04 14:28:32.841 11241100x800000000000000076570Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.747{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\bin\readme.txt2021-06-04 14:28:32.747 11241100x800000000000000076569Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.732{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\updater\readme.txt2021-06-04 14:28:32.732 11241100x800000000000000076568Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.732{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\readme.txt2021-06-04 14:28:32.732 11241100x800000000000000076567Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.716{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\localization\readme.txt2021-06-04 14:28:32.716 11241100x800000000000000076566Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.544{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\functionList\readme.txt2021-06-04 14:28:32.544 354300x800000000000000076565Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:29.302{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000076564Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.341{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\autoCompletion\readme.txt2021-06-04 14:28:32.341 11241100x800000000000000076563Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.326{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\uninstall\readme.txt2021-06-04 14:28:32.326 11241100x800000000000000076562Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.326{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt2021-06-04 14:28:32.326 11241100x800000000000000076561Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.284{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\fonts\readme.txt2021-06-04 14:28:32.284 11241100x800000000000000076560Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.284{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\defaults\readme.txt2021-06-04 14:28:32.284 23542300x800000000000000076559Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:32.091{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0CC035807D9C35DB240543D148A3BF,SHA256=56AC852649AE49768CA9B8099D6367243D01831E56C3308FA0533C43F929E491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079096Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3891-60BA-350D-00000000C501}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079095Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079094Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079093Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079092Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079091Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-3891-60BA-350D-00000000C501}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079090Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3891-60BA-350D-00000000C501}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079089Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.993{3F3E08E7-3891-60BA-350D-00000000C501}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079088Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.868{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079087Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.868{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD74C1267FC9B3036C10106376E8A23,SHA256=5A109B418D72E78B60146A2BE854C05D4329420CA2A450381383D6E349F26FDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076626Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{674c5ef7-9d50-4540-a711-6b82e2469bd0}\readme.txt2021-06-04 14:28:33.951 11241100x800000000000000076625Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.951{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{620A7633-7A09-42A8-8580-076A4483C4B0}v14.28.29913\readme.txt2021-06-04 14:28:33.951 11241100x800000000000000076624Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{09259595-ce26-4705-b47e-59d9e3ccebb9}\readme.txt2021-06-04 14:28:33.904 11241100x800000000000000076623Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\18A31B3F7FED28870B882909D91DFA8EC5BC87A6\readme.txt2021-06-04 14:28:33.904 11241100x800000000000000076622Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\WinMSIPC\readme.txt2021-06-04 14:28:33.904 11241100x800000000000000076621Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\WDF\readme.txt2021-06-04 14:28:33.904 11241100x800000000000000076620Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Vault\readme.txt2021-06-04 14:28:33.904 11241100x800000000000000076619Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.779{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\User Account Pictures\readme.txt2021-06-04 14:28:33.779 11241100x800000000000000076618Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.716{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\UEV\readme.txt2021-06-04 14:28:33.716 11241100x800000000000000076617Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Speech_OneCore\readme.txt2021-06-04 14:28:33.701 11241100x800000000000000076616Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Settings\readme.txt2021-06-04 14:28:33.701 11241100x800000000000000076615Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\ServerManager\readme.txt2021-06-04 14:28:33.701 11241100x800000000000000076614Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Network\readme.txt2021-06-04 14:28:33.701 11241100x800000000000000076613Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.701{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\NetFramework\readme.txt2021-06-04 14:28:33.701 11241100x800000000000000076612Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\MF\readme.txt2021-06-04 14:28:33.685 11241100x800000000000000076611Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\MapData\readme.txt2021-06-04 14:28:33.685 11241100x800000000000000076610Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\IdentityCRL\readme.txt2021-06-04 14:28:33.685 11241100x800000000000000076609Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Event Viewer\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076608Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\DRM\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076607Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076606Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\DeviceSync\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076605Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076604Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.669{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\readme.txt2021-06-04 14:28:33.669 11241100x800000000000000076603Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.654{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\AppV\readme.txt2021-06-04 14:28:33.654 11241100x800000000000000076602Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.622{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\tools\readme.txt2021-06-04 14:28:33.622 11241100x800000000000000076601Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.622{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\redirects\readme.txt2021-06-04 14:28:33.622 11241100x800000000000000076600Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.591{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\logs\readme.txt2021-06-04 14:28:33.591 11241100x800000000000000076599Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.591{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\readme.txt2021-06-04 14:28:33.591 11241100x800000000000000076598Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.544{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\helpers\readme.txt2021-06-04 14:28:33.544 11241100x800000000000000076597Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.544{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\extensions\readme.txt2021-06-04 14:28:33.544 11241100x800000000000000076596Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.529{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\config\readme.txt2021-06-04 14:28:33.529 11241100x800000000000000076595Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.513{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\bin\readme.txt2021-06-04 14:28:33.513 11241100x800000000000000076594Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.513{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\readme.txt2021-06-04 14:28:33.513 11241100x800000000000000076593Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.513{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\ansible\log\readme.txt2021-06-04 14:28:33.513 11241100x800000000000000076592Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.513{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\Tools\readme.txt2021-06-04 14:28:33.513 11241100x800000000000000076591Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.497{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\readme.txt2021-06-04 14:28:33.497 11241100x800000000000000076590Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.497{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Mozilla Maintenance Service\logs\readme.txt2021-06-04 14:28:33.497 11241100x800000000000000076589Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.482{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Microsoft.NET\RedistList\readme.txt2021-06-04 14:28:33.482 11241100x800000000000000076588Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.482{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Internet Explorer\SIGNUP\readme.txt2021-06-04 14:28:33.482 11241100x800000000000000076587Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.466{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Internet Explorer\images\readme.txt2021-06-04 14:28:33.466 11241100x800000000000000076586Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.466{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Internet Explorer\en-US\readme.txt2021-06-04 14:28:33.466 11241100x800000000000000076585Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.466{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\readme.txt2021-06-04 14:28:33.466 11241100x800000000000000076584Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.466{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Services\readme.txt2021-06-04 14:28:33.466 11241100x800000000000000076583Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.451{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\readme.txt2021-06-04 14:28:33.451 11241100x800000000000000076582Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.388{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\ThirdPartySource\readme.txt2021-06-04 14:28:33.388 11241100x800000000000000076581Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.388{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\PowerShell\readme.txt2021-06-04 14:28:33.388 11241100x800000000000000076580Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.357{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\Documentation\readme.txt2021-06-04 14:28:33.357 11241100x800000000000000076579Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.138{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\Deployment Tool\readme.txt2021-06-04 14:28:33.138 11241100x800000000000000076578Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\CodeCommit\readme.txt2021-06-04 14:28:33.029 11241100x800000000000000076577Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:33.013{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\past-releases\readme.txt2021-06-04 14:28:33.013 10341000x800000000000000079086Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.460{3F3E08E7-3891-60BA-340D-00000000C501}29044480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000079085Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:30.793{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000079084Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3891-60BA-340D-00000000C501}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079083Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079082Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079081Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079080Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079079Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-3891-60BA-340D-00000000C501}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079078Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3891-60BA-340D-00000000C501}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079077Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:33.320{3F3E08E7-3891-60BA-340D-00000000C501}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000076641Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.982{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Favorites\readme.txt2021-06-04 14:28:34.982 11241100x800000000000000076640Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDownloads2021-06-04 14:28:34.966{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Downloads\readme.txt2021-06-04 14:28:34.951 11241100x800000000000000076639Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Documents\readme.txt2021-06-04 14:28:34.935 11241100x800000000000000076638Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Desktop\readme.txt2021-06-04 14:28:34.904 11241100x800000000000000076637Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Contacts\readme.txt2021-06-04 14:28:34.904 11241100x800000000000000076636Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.904{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\readme.txt2021-06-04 14:28:34.904 23542300x800000000000000076635Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.372{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B78B03DAB28413723CD1DBC778FDC16,SHA256=80E3E41F8D27D2C4DEF995F3F7F0B802BA93D3E0D66B4E42B1522266A9ECDECD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076634Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.044{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\USOShared\Logs\readme.txt2021-06-04 14:28:34.044 11241100x800000000000000076633Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\USOPrivate\UpdateStore\readme.txt2021-06-04 14:28:34.029 11241100x800000000000000076632Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\shimgen\generatedfiles\readme.txt2021-06-04 14:28:34.029 11241100x800000000000000076631Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{EECDD137-13DA-46ED-ADA0-BDF7F8BE65B8}v14.28.29913\readme.txt2021-06-04 14:28:34.029 10341000x800000000000000079108Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3892-60BA-360D-00000000C501}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079107Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079106Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079105Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079104Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079103Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3892-60BA-360D-00000000C501}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079102Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.555{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3892-60BA-360D-00000000C501}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079101Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.556{3F3E08E7-3892-60BA-360D-00000000C501}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079100Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079099Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58E6B2579A96E78B79989ED056099654,SHA256=D818D472289708070702653999FFB07B44223B23DF72EEADB1868AC67257203F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079098Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079097Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.321{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2CF6E109E4A1DADC5948DF30F1274D1,SHA256=9FD99D08524EE109E325E1731912F7F47ACC635F75A162B7BF8DAF0978076E65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076630Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{C1130551-76E8-44D6-A31D-4A9D5B0817CF}v3.0.529.0\readme.txt2021-06-04 14:28:34.029 11241100x800000000000000076629Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{BDA0686A-BD74-4579-8E5A-DBD5E73C5D13}v2.0.6\readme.txt2021-06-04 14:28:34.029 11241100x800000000000000076628Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.013{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{B1A3AC35-A431-4C8C-9D21-E2CA92047F76}v2.0.533.0\readme.txt2021-06-04 14:28:34.013 11241100x800000000000000076627Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.013{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{855e31d2-9031-46e1-b06d-c9d7777deefb}\readme.txt2021-06-04 14:28:34.013 11241100x800000000000000076683Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.899{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\msadc\readme.txt2021-06-04 14:28:35.899 11241100x800000000000000076682Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.852{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\en-US\readme.txt2021-06-04 14:28:35.852 11241100x800000000000000076681Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.806{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\ado\readme.txt2021-06-04 14:28:35.806 11241100x800000000000000076680Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.806{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\VGX\readme.txt2021-06-04 14:28:35.806 11241100x800000000000000076679Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.806{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\Triedit\readme.txt2021-06-04 14:28:35.806 11241100x800000000000000076678Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.790{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\TextConv\readme.txt2021-06-04 14:28:35.790 11241100x800000000000000076677Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.681{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\Stationery\readme.txt2021-06-04 14:28:35.681 11241100x800000000000000076676Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.634{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\MSInfo\readme.txt2021-06-04 14:28:35.634 11241100x800000000000000076675Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.462{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\readme.txt2021-06-04 14:28:35.462 11241100x800000000000000076674Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\readme.txt2021-06-04 14:28:35.446 11241100x800000000000000076673Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\readme.txt2021-06-04 14:28:35.446 11241100x800000000000000076672Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\readme.txt2021-06-04 14:28:35.446 11241100x800000000000000076671Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\readme.txt2021-06-04 14:28:35.446 11241100x800000000000000076670Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\Plugins\readme.txt2021-06-04 14:28:35.445 11241100x800000000000000076669Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.310{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\Manifests\readme.txt2021-06-04 14:28:35.310 11241100x800000000000000076668Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.295{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Videos\readme.txt2021-06-04 14:28:35.295 11241100x800000000000000076667Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.295{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Pictures\readme.txt2021-06-04 14:28:35.295 11241100x800000000000000076666Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.279{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Music\readme.txt2021-06-04 14:28:35.279 11241100x800000000000000076665Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.263{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Libraries\readme.txt2021-06-04 14:28:35.263 11241100x800000000000000076664Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDownloads2021-06-04 14:28:35.247{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Downloads\readme.txt2021-06-04 14:28:35.247 23542300x800000000000000076663Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.247{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFE7E84E2176DDFE927A147BE42BBEF,SHA256=3E266D68E6C44D09D3D548D341BE13984D921C3BB5051BB2CE71A58652B5D6D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076662Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.247{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Documents\readme.txt2021-06-04 14:28:35.247 11241100x800000000000000079112Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:35.556{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079111Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:35.556{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58E6B2579A96E78B79989ED056099654,SHA256=D818D472289708070702653999FFB07B44223B23DF72EEADB1868AC67257203F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079110Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.994{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079109Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:34.994{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67069173495FB25B061172164342B53,SHA256=8F83E185B37E74C94FD2419F683BEDC8A8387376FA6D60A4C8A1E723ECAA96D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076661Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.232{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\Desktop\readme.txt2021-06-04 14:28:35.232 11241100x800000000000000076660Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.232{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Public\AccountPictures\readme.txt2021-06-04 14:28:35.232 11241100x800000000000000076659Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.216{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Videos\readme.txt2021-06-04 14:28:35.216 11241100x800000000000000076658Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.201{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Searches\readme.txt2021-06-04 14:28:35.201 11241100x800000000000000076657Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.185{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Saved Games\readme.txt2021-06-04 14:28:35.185 11241100x800000000000000076656Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.169{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Pictures\readme.txt2021-06-04 14:28:35.169 11241100x800000000000000076655Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.169{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Music\readme.txt2021-06-04 14:28:35.169 11241100x800000000000000076654Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.154{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Links\readme.txt2021-06-04 14:28:35.154 11241100x800000000000000076653Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.138{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Favorites\readme.txt2021-06-04 14:28:35.138 11241100x800000000000000076652Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDownloads2021-06-04 14:28:35.138{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Downloads\readme.txt2021-06-04 14:28:35.138 11241100x800000000000000076651Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.122{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Documents\readme.txt2021-06-04 14:28:35.122 11241100x800000000000000076650Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.091{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Desktop\readme.txt2021-06-04 14:28:35.091 11241100x800000000000000076649Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Contacts\readme.txt2021-06-04 14:28:35.076 11241100x800000000000000076648Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:28:35.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\readme.txt2021-06-04 14:28:35.076 11241100x800000000000000076647Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Videos\readme.txt2021-06-04 14:28:35.076 11241100x800000000000000076646Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.044{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Searches\readme.txt2021-06-04 14:28:35.044 11241100x800000000000000076645Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Saved Games\readme.txt2021-06-04 14:28:35.029 11241100x800000000000000076644Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.029{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Pictures\readme.txt2021-06-04 14:28:35.029 11241100x800000000000000076643Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:35.013{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Music\readme.txt2021-06-04 14:28:35.013 11241100x800000000000000076642Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.998{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Links\readme.txt2021-06-04 14:28:34.998 354300x800000000000000076700Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:34.329{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000076699Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.431{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\bin\readme.txt2021-06-04 14:28:36.431 11241100x800000000000000076698Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.384{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\ssl\readme.txt2021-06-04 14:28:36.384 11241100x800000000000000076697Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.384{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\readme.txt2021-06-04 14:28:36.384 11241100x800000000000000076696Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.384{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\libexec\readme.txt2021-06-04 14:28:36.384 11241100x800000000000000076695Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.368{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\readme.txt2021-06-04 14:28:36.368 11241100x800000000000000076694Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.352{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\etc\readme.txt2021-06-04 14:28:36.352 11241100x800000000000000076693Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.352{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\doc\readme.txt2021-06-04 14:28:36.352 23542300x800000000000000076692Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.274{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D95D2E1FE878EC16A29BBEC320DF35C,SHA256=1CE45D496204DFF689FEBB8A0771DBA078CE2CD0AADFB3D10089FFC836700464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079122Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3894-60BA-370D-00000000C501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079121Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079120Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079119Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079118Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3894-60BA-370D-00000000C501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079117Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079116Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3894-60BA-370D-00000000C501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079115Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.388{3F3E08E7-3894-60BA-370D-00000000C501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079114Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.013{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079113Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.013{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227BE22AD666927850AF8DBB321082D,SHA256=58FA75D70EEA6843AB664A7BE5F217F6B919E575011C3D543A45C625D02D01D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076691Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.118{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\bin\readme.txt2021-06-04 14:28:36.118 11241100x800000000000000076690Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.087{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\ssh\readme.txt2021-06-04 14:28:36.087 11241100x800000000000000076689Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.040{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\profile.d\readme.txt2021-06-04 14:28:36.040 11241100x800000000000000076688Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.040{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\readme.txt2021-06-04 14:28:36.040 11241100x800000000000000076687Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.024{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pkcs11\readme.txt2021-06-04 14:28:36.024 11241100x800000000000000076686Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.024{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\dev\shm\readme.txt2021-06-04 14:28:36.024 11241100x800000000000000076685Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.024{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\dev\mqueue\readme.txt2021-06-04 14:28:36.024 11241100x800000000000000076684Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:36.009{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\Ole DB\readme.txt2021-06-04 14:28:36.009 11241100x800000000000000076735Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.571{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\bin\Net35\readme.txt2021-06-04 14:28:37.571 11241100x800000000000000076734Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.540{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\spool\readme.txt2021-06-04 14:28:37.540 11241100x800000000000000076733Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.524{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\readme.txt2021-06-04 14:28:37.524 11241100x800000000000000076732Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.524{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\log\readme.txt2021-06-04 14:28:37.524 11241100x800000000000000076731Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.524{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\readme.txt2021-06-04 14:28:37.524 11241100x800000000000000076730Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.509{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\share\splunk\readme.txt2021-06-04 14:28:37.509 11241100x800000000000000076729Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.509{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\engines\readme.txt2021-06-04 14:28:37.509 11241100x800000000000000076728Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.509{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\cmake\readme.txt2021-06-04 14:28:37.509 11241100x800000000000000076727Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.493{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\users\readme.txt2021-06-04 14:28:37.493 11241100x800000000000000076726Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.493{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\readme.txt2021-06-04 14:28:37.493 11241100x800000000000000076725Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.493{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\shcluster\readme.txt2021-06-04 14:28:37.493 23542300x800000000000000076724Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.481{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80EC6F26BD623D7601D34AAA728C72A,SHA256=D8580C4832CAC848F07B44AFC7B351BB1A7B04B4A88FFC60B4A11CC6614A44B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079144Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.856{3F3E08E7-3895-60BA-390D-00000000C501}48281180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079143Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3895-60BA-390D-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079142Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079141Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079140Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079139Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079138Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3895-60BA-390D-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079137Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.731{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3895-60BA-390D-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079136Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.732{3F3E08E7-3895-60BA-390D-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079135Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079134Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE51B09ED43196E49E80DF602E77A99E,SHA256=0C84283EFE6CD27A5CCE876B889F1E8B465CCD757E45244494B90BBA7DDBF566,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079133Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.185{3F3E08E7-3895-60BA-380D-00000000C501}36564628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000079132Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.091{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079131Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.091{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1198C5F00BC36F5EF98F28E97DAB6D21,SHA256=D0E76BD06C20D7E862BB4DC7594E441A1C6B254D46912FB5902ABADAC94ACB01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076723Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.462{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\myinstall\readme.txt2021-06-04 14:28:37.462 11241100x800000000000000076722Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.462{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\readme.txt2021-06-04 14:28:37.462 11241100x800000000000000076721Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.462{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\licenses\readme.txt2021-06-04 14:28:37.462 11241100x800000000000000076720Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.462{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\disabled-apps\readme.txt2021-06-04 14:28:37.462 11241100x800000000000000076719Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.446{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\deployment-apps\readme.txt2021-06-04 14:28:37.446 11241100x800000000000000076718Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.384{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\auth\readme.txt2021-06-04 14:28:37.384 11241100x800000000000000076717Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.384{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\readme.txt2021-06-04 14:28:37.384 11241100x800000000000000076716Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.306{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\bin\scripts\readme.txt2020-02-07 07:06:30.000 23542300x800000000000000076715Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.306{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\SplunkUniversalForwarder\bin\scripts\readme.txtMD5=1C3C112A820249AA965335C18DA30C9A,SHA256=3B6BBA73EE8945EE0EF1822A6B4CA0D17BEFD687609FD3D91C29C46CF346B7B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076714Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.306{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\NppExport\readme.txt2021-06-04 14:28:37.306 11241100x800000000000000076713Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.306{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\NppConverter\readme.txt2021-06-04 14:28:37.290 11241100x800000000000000076712Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.290{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\mimeTools\readme.txt2021-06-04 14:28:37.290 11241100x800000000000000076711Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.290{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\disabled\readme.txt2021-06-04 14:28:37.290 11241100x800000000000000076710Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.290{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Notepad++\plugins\Config\readme.txt2021-06-04 14:28:37.290 11241100x800000000000000076709Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.290{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\readme.txt2021-06-04 14:28:37.290 11241100x800000000000000076708Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.274{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\defaults\pref\readme.txt2021-06-04 14:28:37.274 11241100x800000000000000076707Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.259{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\browser\VisualElements\readme.txt2021-06-04 14:28:37.259 11241100x800000000000000076706Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.196{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Mozilla Firefox\browser\features\readme.txt2021-06-04 14:28:37.196 11241100x800000000000000076705Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.149{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\ssl\readme.txt2021-06-04 14:28:37.149 11241100x800000000000000076704Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.149{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\readme.txt2021-06-04 14:28:37.149 11241100x800000000000000076703Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.149{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\libexec\readme.txt2021-06-04 14:28:37.149 11241100x800000000000000076702Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.118{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\readme.txt2021-06-04 14:28:37.118 11241100x800000000000000076701Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:37.118{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\etc\readme.txt2021-06-04 14:28:37.118 10341000x800000000000000079130Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3895-60BA-380D-00000000C501}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079129Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079128Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079127Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079126Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079125Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3895-60BA-380D-00000000C501}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079124Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.059{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3895-60BA-380D-00000000C501}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079123Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.060{3F3E08E7-3895-60BA-380D-00000000C501}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076736Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:38.540{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC6470EB11E2D7586482598FE6EF380,SHA256=9CB92690B1DB3E7EA579F1DF33DEADAE47A075D7423155BE2A6D055ED2B11B42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079159Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.747{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079158Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.747{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066A0F466DA87DCCA405A20AB45EBDC9,SHA256=5A07F690F9D1AF1B188AC2D677EB4FA674CB685EB32C6A5AC16AAB2ADCBB2E07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079157Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:37.126{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:38e9:3799:f5ff:fef0win-host-243546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000079156Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:36.814{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000079155Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.544{3F3E08E7-3896-60BA-3A0D-00000000C501}2748424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079154Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3896-60BA-3A0D-00000000C501}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079153Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079152Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079151Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079150Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079149Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-3896-60BA-3A0D-00000000C501}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079148Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.403{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3896-60BA-3A0D-00000000C501}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079147Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.404{3F3E08E7-3896-60BA-3A0D-00000000C501}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079146Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.091{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079145Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:38.091{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D70A3E45CB987D386C2662A950E39D0,SHA256=D58C6E58264F67126D882C57A66DB6E4255EB563DF08A4E4145FB605B036EA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076737Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:39.781{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207AFF53752DDA27A4CD148E2741046B,SHA256=3613485E98D4C4747577B04BFFAA8B11C46903453842F2626EB7F0406755CD1F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000079171Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000079170Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01195424) 13241300x800000000000000079169Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75945-0x8740c96e) 13241300x800000000000000079168Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7594d-0xe905316e) 13241300x800000000000000079167Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75956-0x4ac9996e) 13241300x800000000000000079166Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000079165Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01195424) 13241300x800000000000000079164Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75945-0x8740c96e) 13241300x800000000000000079163Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7594d-0xe905316e) 13241300x800000000000000079162Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:39.621{3F3E08E7-F094-60B9-0B00-00000000C501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75956-0x4ac9996e) 11241100x800000000000000079161Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:39.138{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079160Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:39.138{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7958357058B2E3962F76829EB3318A39,SHA256=9B8073CA024A30E21976913FE700397DB04F813FF116DDA8922EC38F7D389161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076738Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:40.796{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7828557B39819174603DABA4A3B3BBDF,SHA256=45A9F0ED47E073EA440512D93D1FDA72B122EA781110FD4CFDCBF522255C406F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079173Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:40.246{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079172Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:40.246{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40874C701DCA6F45144CC8BF466FDB99,SHA256=EE57F11ECF1C8080E9CDD8992000CB5BDBD96ECDDDCD6FAE24236246D242F199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076740Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:41.859{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841296D13144C74B0F5C436415ADE142,SHA256=05E2DD988CC7807C84146F0AB5442336FA603E4ED2A80673A0B4815D19FFD382,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079175Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:41.293{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079174Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:41.293{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4090AD39AFE4D322F995AC16F2F15F04,SHA256=1391CEED978B02EBF39DFD079821F812050F0714B086D3CB1CF5DE89BEF7041C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076739Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:39.347{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076741Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:42.890{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680AF3CC4794038896190D1D19F2BCC7,SHA256=99B4388771E2268B83BC6E2EB11BEA2BD6E2D3362EFD1C7A54E1D1ACECE7F352,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079177Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:42.387{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079176Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:42.387{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BDABF05D7E80B3F4C5A1BF2C202159,SHA256=2EE739A5165D8F544EB79251AD035D8945E585C99D58086BEC00D7D92FD5DE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076742Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:43.921{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6452AA00C903407D1BF1D496792211D6,SHA256=AA1A4189DDC8DC35758942D14BAA95DA1B4D08079C85564F6BDDC51230F88BD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079179Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:43.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079178Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:43.403{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88F786A3352780F718D8718F29AF103,SHA256=B2B9FC17263D7C9594D155552FAFEEE3CB6B860E90815F052203625568701829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076743Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:44.937{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938876ADFC3FC27A0244F1115ADB369A,SHA256=9560600AE75D6864D5B7A381FD8A9CD0E78F83F4D8802CAA09F4794ECC233843,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079182Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:42.813{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079181Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:44.418{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079180Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:44.418{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD8A7478B5185CB9AA7C6A4F5F44750,SHA256=0348CC16BC16F0F945B9C29B37B49AE8921C3541FE77CF97EB85053FE5DD8C6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079184Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:45.434{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079183Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:45.434{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8958DBD1F463A7531FD0B74D67D9BEF3,SHA256=2D8D89E06C93AB4CCC9E3B21095D9B4D539E6DE50E539F48BE5B34D62F1BE4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076744Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:46.171{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51C8ECF3D29F7ADDD6DF5F6FBB0DE70,SHA256=0AD5D26DE4B4FBD5F6C850263DECF89FBB7E4E5C5F69FB56B3BAB9BB7BE80FDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079186Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:46.434{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079185Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:46.434{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66878D5C48839BCBADD6FBE8AA4ABBC7,SHA256=40AC739E0AE151DEAE61F5AFC4B7D801546D3265FB207C9E0D7918D86CE4F170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076745Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:47.172{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FDD978160B16853A1D860FA0979B39,SHA256=C28F8EA47377891F15C24DF9DD724EA1DCF6E7C9977BA00E499B8704A0A92E70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079188Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:47.449{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079187Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:47.449{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BFED0D9DF03CA080DE90E45FC8696D,SHA256=5760B15E0F9EDDD382F7C37A5526917B67C87DCDE727F658058FF1D9FED5F631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076747Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:48.406{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2124B3EA482B276DB937C86EA77497,SHA256=529C0E8339184702FFE72EE54A85638CDFA59A711A8EE51B9095B651F3B2F577,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079190Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:48.465{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079189Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:48.465{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF784B86E8CEF42FBE1FACBE714BFA7E,SHA256=1D297CAAD4BEC2BEA82B6EA285FC907D0AA3C196AB77C55342DC203C767EF28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076746Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:45.394{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076748Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:49.421{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C80BB157E97293B55D9AF2139E95CA6,SHA256=0006AE4A0F8DC22735E4889A15A25EBC8406A1F47447F846984B5CC279393D78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079192Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:49.481{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079191Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:49.481{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3175BEFABC8FF24AC29DA8299210ECC7,SHA256=93CC068142FE679DB2636405ACF3CD0040FD4A680DF9277622A32148170D208D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076749Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:50.453{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA89C972BAA1D10DF1C87369E94D428,SHA256=1D4DC525537BAFD245661F307AB7ABA7525433F0EBBD15A4690AD4F964157D8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079197Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:50.496{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079196Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:50.496{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3E401246DDDE95554BFF59DAC8C517,SHA256=F6FDE5E26B657CEEDF2A2974841BC0D5C136B7951CFEAD650005DF128BC0D854,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079195Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:50.481{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000079194Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:50.481{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079193Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:47.829{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076750Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:51.484{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58614463FEF42B2213330CE6735E4D3,SHA256=E4361DE698D2BBBF0E85A53532FA79C10A4A94147F9402FFD619A81D8968F98D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079199Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:51.512{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079198Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:51.512{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA50CFD8E30EB0E77F0FA9DC9A8A7E50,SHA256=5561C40AE199FC64BC3BF1590ADDEC99FED365AE2FB92771CFC00D346F7806F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076752Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:52.937{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\bin\Net45\readme.txt2021-06-04 14:28:52.937 23542300x800000000000000076751Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:52.500{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA6C414945EE712EB61F0E685E87AB8,SHA256=73A681D6D93987131C4061B7009C93E946B7800F97C272FDF8026BC68877C14C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079202Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:52.528{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079201Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:52.528{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B43C063DA83A9B62E8DA7A723B108D8,SHA256=27C10BCF385EFB25DA4A5551F8D8BFAD774E652DD2837511C77244C3F9462AE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079200Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:50.204{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000076753Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:53.703{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49241147DDF6245C2504CDB5BEC2CD2A,SHA256=7159EDF807E3628AC982C1AD2E43B12006EC2AEAEEC04DD89F55B7808DDB9042,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079204Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:53.543{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079203Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:53.543{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725F7DE76E5E9AC49857F2DD827D7570,SHA256=C7D84E22DAA32CFC6D12241D7E639678EB57044823CF42B08716D14C780B5E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076755Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:54.703{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB844CE0B30DA23AB6EA35622C54920,SHA256=6F455487D047A3D04F4049ED7ED4AD9B2953CF80EDC4269D5C3851E46933668C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079207Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:54.559{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079206Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:54.559{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A4E58964E31C0F4085682255F4248C,SHA256=9C350773E6A6BDB2103F2C2D90ECB12E2D9039E45C2016A24504117ECD86C6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076754Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:51.409{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000079205Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:28:54.262{3F3E08E7-F094-60B9-1500-00000000C501}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7594d-0xf24423be) 23542300x800000000000000076757Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:55.718{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885463A667F50C6E61DE277DA3D11EBF,SHA256=1BD49DB8EF073F250FDCC32A06FE10051B8D1F66BD193D34C08CF83DAD8AF4AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079210Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:55.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079209Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:55.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC75E50001F467530548420E70D264B8,SHA256=DF4E09A62576FE7595BB15EFDE12161F55545FE51C31EE6DC0D57799FEDB9A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076756Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:55.531{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A008705C7238C8B519F0E517D69EC16,SHA256=C34E3DB2DF7E74DA5190AA3530F0F42C734C13B64C862FE69F294A2C6FDB557C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079208Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:53.829{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076758Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:56.734{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9FA4A52A8D3EFB3DBDE5432CB57B66,SHA256=C3B01338F1019A6604D26903CDC5860D03C9ACADDF0AA58D8F538DF69660B5EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079212Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:56.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079211Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:56.577{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B596C0D1C0E638CF75EFA65CDFA902EF,SHA256=34734443D2E2379C3305319FE4D3193EF2DF2826A9B0DC09E9411C7FAB80B3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076759Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:57.734{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A5E5BACB4118FDCB6DBC6DEF567A26,SHA256=89852ECEB1D286B2CB7C5CB0CB6A2F80C683B4DD58F66B6D4E5AF8B003CAC10F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079214Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:57.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079213Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:57.592{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4447C8CCA0BF4F3C844DFB0ABF2680B8,SHA256=17872447839A2F67408E3A23341E2F43C6EB746F01168B51C7B980DF54E3E794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076760Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:58.734{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4B7BC1534C73CDF4B87FE618539F7E,SHA256=56468026E5B6E219328BDD37216892EB880C9202FA3B6D64CA06EF039CE05D6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079216Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:58.608{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079215Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:58.608{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373336FCFF00C6C8A01A4C93AB60DDAB,SHA256=A2D05296E9823795705D7ECC7D2EE16DA151ACCD919110EA091BEE6FBCF773BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079218Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:59.621{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079217Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:59.621{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59E48CCDD46F93C813D1B5AB9303522,SHA256=C3D22D7B8D2803EC39C11B822FFFE5C1090CD339E26B40A0FAEEF617132B9AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076761Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:59.747{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB18B9C35314EDA499088E4898B25364,SHA256=BF878938E2F69C30A49EF7B163B487B95F42682089C26C7C6F47004EECB6B5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076763Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:00.762{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1855E816401A6C8958CC270F1692A9DF,SHA256=E417701FC436797C91F6410374BED5D0D26E6BB963C6B94F4E375651553D68FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079220Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:00.840{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079219Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:00.840{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED449252D95F773761CBCD3B9238BEAE,SHA256=CAD5D2B451C7592F767EB8F2FF99AC004F4F053D3EC936EC0AD33F093492F966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076762Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:28:57.425{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076764Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:01.778{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABCDD3FF19CBF897B523874662CF297,SHA256=2FD0FEE7E01DC7CC6FA17C4A676211A3B2893E9648DF7DBA0C5C2E5C00FC741C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079223Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:01.855{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079222Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:01.855{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33656DFC8EC7204F59FBB22DC348EB59,SHA256=EECBFA0DA75F1A9F21D26D25CBB9917DB0865CE8112A94D9AB6E2848A487C245,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079221Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:28:59.779{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076765Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:02.793{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17813DE0586A8BE49ABE2A3253E979E7,SHA256=E092FF537477BD9FB1AF1D7C1295D5CD65792567B32F78C50ABBB8A730653BA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079225Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:02.886{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079224Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:02.886{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F442004A9D7D8936984BA5128933E4,SHA256=4FEA4A4219954116DBFA24366A16F4A0FCFB010F20A49FC044B914D04FC73D04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079227Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:03.902{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079226Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:03.902{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236CBC83BC9E65724585ECA91EA2D52A,SHA256=8EB5184565D21DAB8E5DCC1340F154F672271B6481D5EFE58DDB3305566B65DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076768Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:03.809{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC6146A7E8C674F0F0125E299F7CDAE,SHA256=C1D451C44EAA14D70EDE06FAA9B38CFD1A022B108A0D9D62274F4177913D8011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076767Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:03.637{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9211F1D335E06A4D12F0665BD7FB48AB,SHA256=49273067B869373D88EC390B8C1EEB55E351575037262E738059F06A723F846A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076766Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:03.637{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4313960250C7281DA7E9198067163D57,SHA256=DF9528830FFB0849AB69DF102C4E548E23ADC84E383ADFD3E2D1BA26013F4725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076769Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:04.825{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8F57BD38155D09AFF1798BC11B02DB,SHA256=D9E0A124D2D170F22EF505E7C912BD7418B9011FFBC56D241E5DB541DE1C6493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076771Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:05.840{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9784A433411D20F594FD2A4676D99D1,SHA256=200A43ADA0D66FFBEEF91478705DAB93FC1341AFB795DD9388D3BAC3468CFF39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079229Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:05.027{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079228Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:05.027{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7156C3AF9ACC6D259041DD951FC894,SHA256=C40985AD78ADC4E1250FBDE6514AF098A9CCE1247F7703B7D6DBFCA1D50D6364,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076770Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:03.265{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076772Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:06.856{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EEAFE7B63F1899F0D03E09F647FFD7,SHA256=25A7C941753033EF37C2790E556A8BA70C918D1D5B80A668AD6C4EFAA0E02500,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079231Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:06.074{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079230Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:06.074{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B3EB601FDE8CA50BD3FEC433EE232C,SHA256=D7D32384F6316B543F57756FA2248E8A42502B237A83B32257F7E42EA3564E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076773Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:07.872{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB63F8DDEDC740F1C0DDD7C95D3275F3,SHA256=5C448B0CE2A92789224961789C8660C6714A2AD224797893B9A0A5BBDDDED6B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079233Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:07.183{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079232Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:07.183{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419A83620257F3BDBCD0FFAA0E6FCFAB,SHA256=71693207C77391069237493995BD7FC51533F607E351C98A8CC37EC303DEF691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076774Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:08.872{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F084D8378389F2BA500169C314134FB5,SHA256=77B0AAD5A7427C29EEC8B3A3A58ED4792616C591473806A5234C74E5C154D442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079236Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:05.826{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079235Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:08.261{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079234Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:08.261{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BF776C00CA22160D4F503803DBA675,SHA256=2B0D022E9A371A60ED006196FAD7A4563366C0B1073EA062A90A535EE7BBDD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076776Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:09.887{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B075BF660CF32379FEE61830E0024E7,SHA256=095DD6AE2788BAE0528A6660380AE1C307FEE83226098D1E5D844661393DDCE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079238Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:09.496{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079237Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:09.496{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C1ACAA35E6DE9BD5F24CBFE50D716A,SHA256=FD22E8B38295A037BF24E1674AC4DFF8AC2D09C97025671A76A6EE72C1AC513E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076775Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:09.590{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-1\readme.txt2021-06-04 14:29:09.590 23542300x800000000000000076780Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:10.903{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3160E48EF6CBBB6D86F53CC69089C34D,SHA256=3D321F591CC187E8AF7592D8B5C0C5EE68C3B0DDF92E74D6A54B38839BEAD4B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079240Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:10.730{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079239Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:10.730{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72E9CA6818D56A68C6FF91D1E186989,SHA256=493CD5A8B9D9B6663877D97A1D9E8C4E696B44A54A0AEAB48C7B3582843F01B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076779Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:10.122{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\readme.txt2021-06-04 14:29:10.122 11241100x800000000000000076778Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:10.059{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS Tools\Deployment Tool\Samples\readme.txt2021-06-04 14:29:10.059 11241100x800000000000000076777Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:10.012{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\readme.txt2021-06-04 14:29:10.012 23542300x800000000000000076809Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.904{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5271A871BC50A2F3CBF0C6F69A64BEA5,SHA256=BA087E57D2EE5468D625D18799D74EA2072B67331B3DBA6A1DFB6B173012A811,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079244Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:11.761{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079243Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:11.761{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A3699799F91A5700689567229D5C7C,SHA256=97FD1CCB76CCE1FF95AFAD011C580A8E17609AC9B41AB40D927655A5114AB8EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076808Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.639{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\helpers\functions\readme.txt2021-06-04 14:29:11.639 11241100x800000000000000076807Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.575{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\extensions\chocolatey-core\readme.txt2021-06-04 14:29:11.575 11241100x800000000000000076806Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.543{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\notepadplusplus.install.7.9.5\readme.txt2021-06-04 14:29:11.543 11241100x800000000000000076805Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.528{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\notepadplusplus.7.9.5\readme.txt2021-06-04 14:29:11.528 354300x800000000000000076804Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:09.297{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000076803Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.497{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\git.install.2.31.1\readme.txt2021-06-04 14:29:11.497 11241100x800000000000000076802Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.481{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\git.2.31.1\readme.txt2021-06-04 14:29:11.481 11241100x800000000000000076801Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.453{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\Firefox.89.0\readme.txt2021-06-04 14:29:11.453 11241100x800000000000000076800Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.434{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\chocolatey-core.extension.1.3.5.1\readme.txt2021-06-04 14:29:11.434 11241100x800000000000000076799Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.403{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\7zip.install.19.0\readme.txt2021-06-04 14:29:11.403 11241100x800000000000000076798Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.387{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\.chocolatey\7zip.19.0\readme.txt2021-06-04 14:29:11.387 11241100x800000000000000076797Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.387{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Packages\readme.txt2021-06-04 14:29:11.387 11241100x800000000000000076796Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.340{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Logs\readme.txt2021-06-04 14:29:11.340 11241100x800000000000000076795Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.340{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Locks\readme.txt2021-06-04 14:29:11.340 11241100x800000000000000076794Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.340{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\LocalCommands\readme.txt2021-06-04 14:29:11.340 11241100x800000000000000076793Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.340{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\InstanceData\readme.txt2021-06-04 14:29:11.340 11241100x800000000000000076792Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.340{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Daemons\readme.txt2021-06-04 14:29:11.340 11241100x800000000000000076791Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.309{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\Ole DB\readme.txt2021-06-04 14:29:11.309 11241100x800000000000000076790Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.293{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\msadc\readme.txt2021-06-04 14:29:11.293 11241100x800000000000000076789Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.293{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\en-US\readme.txt2021-06-04 14:29:11.293 11241100x800000000000000076788Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.231{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\ado\readme.txt2021-06-04 14:29:11.231 11241100x800000000000000076787Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.231{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\VGX\readme.txt2021-06-04 14:29:11.231 11241100x800000000000000076786Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.215{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\readme.txt2021-06-04 14:29:11.215 11241100x800000000000000076785Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.215{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\readme.txt2021-06-04 14:29:11.215 11241100x800000000000000076784Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.106{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\readme.txt2021-06-04 14:29:11.106 11241100x800000000000000076783Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.106{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\readme.txt2021-06-04 14:29:11.106 11241100x800000000000000076782Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.106{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\ink\readme.txt2021-06-04 14:29:11.106 11241100x800000000000000076781Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.106{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\DAO\readme.txt2021-06-04 14:29:11.106 10341000x800000000000000079242Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:11.355{3F3E08E7-F094-60B9-1400-00000000C501}8842340C:\Windows\system32\svchost.exe{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079241Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:11.355{3F3E08E7-F094-60B9-1400-00000000C501}8841080C:\Windows\system32\svchost.exe{3F3E08E7-387F-60BA-300D-00000000C501}1868C:\Temp\test\conti.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000076820Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.935{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\notepadplusplus.install\readme.txt2021-06-04 14:29:12.935 11241100x800000000000000076819Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.920{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\notepadplusplus\readme.txt2021-06-04 14:29:12.920 23542300x800000000000000076818Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.920{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B2C5DB804F36C76FD533EBFD881CB9,SHA256=65677148724F96B3A3C43EA743C300C232475E31E7863FE6778A941A4F49292C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079250Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.777{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079249Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.777{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82E4B24A345E5116B38FEB491E5CCE1,SHA256=87646846F2F1F96251EBC8A5A8F3FC3857A2DA7446C4AD2D74A539A41E3B91D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076817Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:10.061{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse159.89.104.24810.ent.x64.eval.us-english.gz-s-8vcpu-16gb-amd-fra1-0162619-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 11241100x800000000000000076816Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.154{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\git.install\readme.txt2021-06-04 14:29:12.154 11241100x800000000000000076815Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.138{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\git\readme.txt2021-06-04 14:29:12.138 11241100x800000000000000076814Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\Firefox\readme.txt2021-06-04 14:29:12.123 11241100x800000000000000076813Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\chocolatey-core.extension\readme.txt2021-06-04 14:29:12.107 11241100x800000000000000076812Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.060{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\chocolatey\readme.txt2021-06-04 14:29:12.060 11241100x800000000000000076811Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:12.013{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\7zip.install\readme.txt2021-06-04 14:29:12.013 11241100x800000000000000076810Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:11.998{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\7zip\readme.txt2021-06-04 14:29:11.998 11241100x800000000000000079248Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.402{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079247Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.402{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079246Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.402{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079245Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:12.402{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=35A788316F8032E6AF39297BCF4B6B94,SHA256=9A8CCC8CEC29F6C45BF4E4A2EC43DF7F91A198DD92F036137F1F397E7C8DCD99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076866Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.938{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\readme.txt2021-06-04 14:29:13.938 11241100x800000000000000076865Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.922{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\xennet\readme.txt2021-06-04 14:29:13.922 11241100x800000000000000079252Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:13.793{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079251Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:13.793{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE1AEC3DB1EFC800D6A026F6DEBEC3E,SHA256=9CFD7BB31C41233D102EFA0F6A830A555F523071B4D1A05797E35D682C100EC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076864Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\xeniface\readme.txt2021-06-04 14:29:13.906 11241100x800000000000000076863Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\xenbus\readme.txt2021-06-04 14:29:13.875 11241100x800000000000000076862Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.875{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\Plugins\SessionManagerShell\readme.txt2021-06-04 14:29:13.875 11241100x800000000000000076861Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.813{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\readme.txt2021-06-04 14:29:13.813 11241100x800000000000000076860Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.732{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\readme.txt2021-06-04 14:29:13.732 11241100x800000000000000076859Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:13.717{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\Favorites\Links\readme.txt2021-06-04 14:29:13.717 11241100x800000000000000076858Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:13.717{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\readme.txt2021-06-04 14:29:13.717 11241100x800000000000000076857Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:13.717{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\LocalLow\readme.txt2021-06-04 14:29:13.717 11241100x800000000000000076856Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:13.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\readme.txt2021-06-04 14:29:13.685 11241100x800000000000000076855Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\Favorites\Links\readme.txt2021-06-04 14:29:13.685 11241100x800000000000000076854Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.685{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\readme.txt2021-06-04 14:29:13.685 11241100x800000000000000076853Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.670{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\LocalLow\readme.txt2021-06-04 14:29:13.670 11241100x800000000000000076852Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.654{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\readme.txt2021-06-04 14:29:13.654 11241100x800000000000000076851Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.654{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\USOShared\Logs\User\readme.txt2021-06-04 14:29:13.654 11241100x800000000000000076850Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.185{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{EECDD137-13DA-46ED-ADA0-BDF7F8BE65B8}v14.28.29913\packages\readme.txt2021-06-04 14:29:13.185 11241100x800000000000000076849Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.185{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{620A7633-7A09-42A8-8580-076A4483C4B0}v14.28.29913\packages\readme.txt2021-06-04 14:29:13.185 11241100x800000000000000076848Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.185{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\WinMSIPC\Server\readme.txt2021-06-04 14:29:13.185 11241100x800000000000000076847Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.156{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\readme.txt2021-06-04 14:29:13.156 11241100x800000000000000076846Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.156{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Settings\Accounts\readme.txt2021-06-04 14:29:13.156 11241100x800000000000000076845Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.138{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\ServerManager\Events\readme.txt2021-06-04 14:29:13.138 11241100x800000000000000076844Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Network\Downloader\readme.txt2021-06-04 14:29:13.123 11241100x800000000000000076843Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Network\Connections\readme.txt2021-06-04 14:29:13.123 11241100x800000000000000076842Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\readme.txt2021-06-04 14:29:13.123 11241100x800000000000000076841Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\IdentityCRL\production\readme.txt2021-06-04 14:29:13.123 11241100x800000000000000076840Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.123{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\IdentityCRL\INT\readme.txt2021-06-04 14:29:13.123 11241100x800000000000000076839Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Event Viewer\Views\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076838Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\DRM\Server\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076837Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076836Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\SoftLanding\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076835Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\Sideload\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076834Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076833Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.107{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\ETLLogs\readme.txt2021-06-04 14:29:13.107 11241100x800000000000000076832Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.092{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\readme.txt2021-06-04 14:29:13.092 11241100x800000000000000076831Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\readme.txt2021-06-04 14:29:13.076 11241100x800000000000000076830Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\AsimovUploader\readme.txt2021-06-04 14:29:13.076 11241100x800000000000000076829Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Task\readme.txt2021-06-04 14:29:13.076 11241100x800000000000000076828Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.076{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Device\readme.txt2021-06-04 14:29:13.076 11241100x800000000000000076827Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.060{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\SystemKeys\readme.txt2021-06-04 14:29:13.060 11241100x800000000000000076826Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.060{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\RSA\readme.txt2021-06-04 14:29:13.060 11241100x800000000000000076825Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.060{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\PCPKSP\readme.txt2021-06-04 14:29:13.060 11241100x800000000000000076824Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.060{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\OIDInfo\readme.txt2021-06-04 14:29:13.060 11241100x800000000000000076823Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.045{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\Keys\readme.txt2021-06-04 14:29:13.045 11241100x800000000000000076822Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.045{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\DSS\readme.txt2021-06-04 14:29:13.045 11241100x800000000000000076821Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.045{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\AppV\Setup\readme.txt2021-06-04 14:29:13.045 11241100x800000000000000076876Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.938{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\xenvif\readme.txt2021-06-04 14:29:14.938 23542300x800000000000000076875Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.922{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C8DFCE3083268D277FF270EBCB1F7F,SHA256=3A0A6561973CEDFBE2155EB31FB32C61BBA193F5FD36A5063BB466FAF9D4F417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079288Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}7762372C:\Windows\system32\svchost.exe{3F3E08E7-FC3D-60B9-2A05-00000000C501}1680C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079287Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079286Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079285Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079284Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079283Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079282Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079281Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079280Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079279Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC43-60B9-4205-00000000C501}4188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079278Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-F095-60B9-2100-00000000C501}1932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079277Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-F095-60B9-2100-00000000C501}1932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079276Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079275Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079274Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079273Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079272Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079271Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079270Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079269Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079268Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079267Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079266Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079265Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079264Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079263Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079262Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079261Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079260Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079259Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC3E-60B9-3405-00000000C501}952C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079258Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079257Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079256Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.808{3F3E08E7-F094-60B9-0D00-00000000C501}776808C:\Windows\system32\svchost.exe{3F3E08E7-FC44-60B9-4305-00000000C501}4364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000079255Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.793{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079254Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:14.793{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757A34F4A5D7C5B4C20667E879842051,SHA256=AA838A5C30026B260E3A1BD9A3BA872EC61E85910B2828E86FC611BA2C2794F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076874Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.844{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCB90D354FA6EB5BF1B39A02B78105F,SHA256=22F40F8DACE3FAC38802CF41E0CE9E9F2D5867CB1E078C0E22C6CEADFE6CF92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076873Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.844{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9211F1D335E06A4D12F0665BD7FB48AB,SHA256=49273067B869373D88EC390B8C1EEB55E351575037262E738059F06A723F846A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076872Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.672{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\xenvbd\readme.txt2021-06-04 14:29:14.672 11241100x800000000000000076871Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.610{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\xennet\readme.txt2021-06-04 14:29:14.610 11241100x800000000000000076870Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.250{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\xeniface\readme.txt2021-06-04 14:29:14.250 23542300x800000000000000076869Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.094{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CB69A0B2E2AADB0CA2C6460AD206B1,SHA256=5265A0BFBFEFCFAD51D1561ECB67B760806611E77FA148E19EB90C7302E02ACC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076868Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Symbols\xenbus\readme.txt2021-06-04 14:29:14.031 11241100x800000000000000076867Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:14.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\.Drivers\xenvif\readme.txt2021-06-04 14:29:14.016 354300x800000000000000079253Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:11.841{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000076917Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\pt-BR\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076916Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\pl-PL\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076915Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\nl-NL\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076914Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\nb-NO\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076913Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\lv-LV\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076912Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.985{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\lt-LT\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000076911Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.969{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\LanguageModel\readme.txt2021-06-04 14:29:15.969 11241100x800000000000000076910Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.969{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\ko-KR\readme.txt2021-06-04 14:29:15.969 11241100x800000000000000076909Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.969{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\ja-JP\readme.txt2021-06-04 14:29:15.969 11241100x800000000000000076908Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.969{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\it-IT\readme.txt2021-06-04 14:29:15.969 11241100x800000000000000076907Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.953{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\readme.txt2021-06-04 14:29:15.953 11241100x800000000000000076906Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.953{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\hu-HU\readme.txt2021-06-04 14:29:15.953 11241100x800000000000000076905Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.953{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\hr-HR\readme.txt2021-06-04 14:29:15.953 11241100x800000000000000076904Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.953{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\he-IL\readme.txt2021-06-04 14:29:15.953 23542300x800000000000000076903Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.938{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA15F5F4F149A415B33FBB7BF7750A2,SHA256=6598B04D04F30BF27BAC2A5273FE6D748FB1C1C102EB598B02B99A18652A66C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076902Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\readme.txt2021-06-04 14:29:15.906 11241100x800000000000000076901Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fr-FR\readme.txt2021-06-04 14:29:15.906 11241100x800000000000000076900Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fr-CA\readme.txt2021-06-04 14:29:15.891 11241100x800000000000000076899Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fi-FI\readme.txt2021-06-04 14:29:15.891 11241100x800000000000000076898Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\et-EE\readme.txt2021-06-04 14:29:15.891 11241100x800000000000000076897Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\es-MX\readme.txt2021-06-04 14:29:15.891 11241100x800000000000000076896Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\es-ES\readme.txt2021-06-04 14:29:15.891 11241100x800000000000000076895Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.844{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\en-US\readme.txt2021-06-04 14:29:15.844 11241100x800000000000000076894Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.844{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\en-GB\readme.txt2021-06-04 14:29:15.844 11241100x800000000000000076893Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.844{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\el-GR\readme.txt2021-06-04 14:29:15.844 11241100x800000000000000076892Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.844{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\de-DE\readme.txt2021-06-04 14:29:15.844 11241100x800000000000000076891Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\da-DK\readme.txt2021-06-04 14:29:15.828 11241100x800000000000000076890Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\cs-CZ\readme.txt2021-06-04 14:29:15.828 11241100x800000000000000076889Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\bg-BG\readme.txt2021-06-04 14:29:15.828 11241100x800000000000000076888Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\ar-SA\readme.txt2021-06-04 14:29:15.828 11241100x800000000000000076887Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.735{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\xenvif\readme.txt2021-06-04 14:29:15.735 11241100x800000000000000076886Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.672{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\xenvbd\readme.txt2021-06-04 14:29:15.672 11241100x800000000000000076885Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.641{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\xennet\readme.txt2021-06-04 14:29:15.641 354300x800000000000000076884Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:13.535{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000076883Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.328{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\xeniface\readme.txt2021-06-04 14:29:15.328 11241100x800000000000000076882Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.156{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Symbols\xenbus\readme.txt2021-06-04 14:29:15.156 11241100x800000000000000076881Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.141{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\xenvif\readme.txt2021-06-04 14:29:15.141 11241100x800000000000000076880Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.125{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\xenvbd\readme.txt2021-06-04 14:29:15.125 11241100x800000000000000076879Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\xennet\readme.txt2021-06-04 14:29:15.110 11241100x800000000000000076878Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\xeniface\readme.txt2021-06-04 14:29:15.094 11241100x800000000000000076877Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Amazon\XenTools\Drivers\xenbus\readme.txt2021-06-04 14:29:15.078 11241100x800000000000000079290Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:16.261{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079289Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:16.261{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EBF4EC6FD8004A4BAA7E374A9934AC,SHA256=2D4E9DEDEF13A1625664749C5AC314FD74B8AE968F9FDFBA462ED71243AA5402,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076950Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.813{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\antiword\readme.txt2021-06-04 14:29:16.813 11241100x800000000000000076949Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\libexec\git-core\readme.txt2021-06-04 14:29:16.469 11241100x800000000000000076948Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.219{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\readme.txt2021-06-04 14:29:16.219 11241100x800000000000000076947Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.203{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\thread2.8.6\readme.txt2021-06-04 14:29:16.203 11241100x800000000000000076946Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.125{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\readme.txt2021-06-04 14:29:16.125 11241100x800000000000000076945Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\readme.txt2021-06-04 14:29:16.110 11241100x800000000000000076944Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\reg1.3\readme.txt2021-06-04 14:29:16.110 11241100x800000000000000076943Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\p11-kit\readme.txt2021-06-04 14:29:16.094 11241100x800000000000000076942Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\engines-1_1\readme.txt2021-06-04 14:29:16.094 11241100x800000000000000076941Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\etc\pki\readme.txt2021-06-04 14:29:16.094 11241100x800000000000000076940Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.063{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\doc\git-credential-manager-core\readme.txt2021-06-04 14:29:16.063 11241100x800000000000000076939Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\doc\git-credential-manager\readme.txt2021-06-04 14:29:16.047 11241100x800000000000000076938Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\ca-trust\readme.txt2021-06-04 14:29:16.047 11241100x800000000000000076937Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\Ole DB\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076936Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\msadc\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076935Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\System\ado\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076934Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\Triedit\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076933Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\TextConv\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076932Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\MSInfo\en-US\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076931Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.031{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\zh-TW\readme.txt2021-06-04 14:29:16.031 11241100x800000000000000076930Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\zh-HK\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076929Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\zh-CN\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076928Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\uk-UA\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076927Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\tr-TR\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076926Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\th-TH\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076925Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\sv-SE\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076924Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.016{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\readme.txt2021-06-04 14:29:16.016 11241100x800000000000000076923Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\readme.txt2021-06-04 14:29:16.000 11241100x800000000000000076922Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\sl-SI\readme.txt2021-06-04 14:29:16.000 11241100x800000000000000076921Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\sk-SK\readme.txt2021-06-04 14:29:16.000 11241100x800000000000000076920Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\ru-RU\readme.txt2021-06-04 14:29:16.000 11241100x800000000000000076919Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\ro-RO\readme.txt2021-06-04 14:29:16.000 11241100x800000000000000076918Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:16.000{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\pt-PT\readme.txt2021-06-04 14:29:15.985 11241100x800000000000000079292Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:17.277{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079291Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:17.277{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C867FA42327CB9AA16D731FDE5F470A1,SHA256=ACEBB907A52DAA4FC69DB22F119F6EB1DA5E9E01DCF10DF23AF75DCD6A579806,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076988Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.813{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gnupg\readme.txt2021-06-04 14:29:17.813 11241100x800000000000000076987Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.813{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\glib-2.0\readme.txt2021-06-04 14:29:17.813 11241100x800000000000000076986Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.797{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\git\readme.txt2021-06-04 14:29:17.781 11241100x800000000000000076985Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.781{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gdb\readme.txt2021-06-04 14:29:17.781 11241100x800000000000000076984Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.781{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\fish\readme.txt2021-06-04 14:29:17.781 11241100x800000000000000076983Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.781{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\cygwin\readme.txt2021-06-04 14:29:17.781 11241100x800000000000000076982Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.766{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\bash-completion\readme.txt2021-06-04 14:29:17.766 11241100x800000000000000076981Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.594{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\awk\readme.txt2021-06-04 14:29:17.594 11241100x800000000000000076980Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\applications\readme.txt2021-06-04 14:29:17.578 11241100x800000000000000076979Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\libexec\p11-kit\readme.txt2021-06-04 14:29:17.563 11241100x800000000000000076978Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\terminfo\readme.txt2021-06-04 14:29:17.563 354300x800000000000000076977Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:15.331{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000076976Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8.6\readme.txt2021-06-04 14:29:17.469 11241100x800000000000000076975Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\readme.txt2021-06-04 14:29:17.469 11241100x800000000000000076974Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.453{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tar\readme.txt2021-06-04 14:29:17.453 11241100x800000000000000076973Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.453{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\ssh\readme.txt2021-06-04 14:29:17.453 11241100x800000000000000076972Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\sasl2\readme.txt2021-06-04 14:29:17.438 11241100x800000000000000076971Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\pkcs11\readme.txt2021-06-04 14:29:17.438 11241100x800000000000000076970Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\readme.txt2021-06-04 14:29:17.438 11241100x800000000000000076969Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\p11-kit\readme.txt2021-06-04 14:29:17.438 11241100x800000000000000076968Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.422{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\openssl\readme.txt2021-06-04 14:29:17.422 11241100x800000000000000076967Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.422{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\gnupg\readme.txt2021-06-04 14:29:17.422 11241100x800000000000000076966Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\gettext\readme.txt2021-06-04 14:29:17.406 11241100x800000000000000076965Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\gawk\readme.txt2021-06-04 14:29:17.406 11241100x800000000000000076964Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.391{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\awk\readme.txt2021-06-04 14:29:17.391 11241100x800000000000000076963Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.375{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\etc\profile.d\readme.txt2021-06-04 14:29:17.375 11241100x800000000000000076962Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.344{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\bin\vendor_perl\readme.txt2021-06-04 14:29:17.344 11241100x800000000000000076961Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.141{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\bin\core_perl\readme.txt2021-06-04 14:29:17.141 11241100x800000000000000076960Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\ssl\certs\readme.txt2021-06-04 14:29:17.094 11241100x800000000000000076959Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\pki\readme.txt2021-06-04 14:29:17.094 11241100x800000000000000076958Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\readme.txt2021-06-04 14:29:17.078 11241100x800000000000000076957Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\readme.txt2021-06-04 14:29:17.078 11241100x800000000000000076956Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\git-gui\readme.txt2021-06-04 14:29:17.078 11241100x800000000000000076955Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\git-core\readme.txt2021-06-04 14:29:17.078 11241100x800000000000000076954Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.063{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\git\readme.txt2021-06-04 14:29:17.063 11241100x800000000000000076953Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\gettext-0.19.8\readme.txt2021-06-04 14:29:17.047 11241100x800000000000000076952Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\readme.txt2021-06-04 14:29:17.047 23542300x800000000000000076951Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:17.000{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B06A1ABE6C73FF67A3CDD33BA1FDA98,SHA256=8FC21B577FE70CDC927DF572EAF6CB70FBEEFB4BB3E6E0789151E7241E188E9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079294Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:18.511{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079293Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:18.511{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F874B4B51425BCE670FC4CEBB8E6A547,SHA256=FE1FF7C0F82A9AF6E59F36D86647BEABB2EA462E62DAD40CFE389D3F0BEC4E15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077031Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.922{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\README\readme.txt2021-06-04 14:29:18.922 11241100x800000000000000077030Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\metadata\readme.txt2021-06-04 14:29:18.906 11241100x800000000000000077029Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.875{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\local\readme.txt2021-06-04 14:29:18.875 11241100x800000000000000077028Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.672{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\default\readme.txt2021-06-04 14:29:18.672 11241100x800000000000000077027Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.610{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\bin\readme.txt2021-06-04 14:29:18.610 11241100x800000000000000077026Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.610{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\shcluster\users\readme.txt2021-06-04 14:29:18.610 11241100x800000000000000077025Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.594{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\shcluster\apps\readme.txt2021-06-04 14:29:18.594 11241100x800000000000000077024Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\parsing\readme.txt2021-06-04 14:29:18.578 11241100x800000000000000077023Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\readme.txt2021-06-04 14:29:18.578 11241100x800000000000000077022Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\licenses\forwarder\readme.txt2021-06-04 14:29:18.578 11241100x800000000000000077021Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\auth\scripts\readme.txt2021-06-04 14:29:18.578 11241100x800000000000000077020Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\auth\prev_release\readme.txt2021-06-04 14:29:18.563 11241100x800000000000000077019Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.547{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\auth\crl\readme.txt2021-06-04 14:29:18.547 11241100x800000000000000077018Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\readme.txt2021-06-04 14:29:18.531 11241100x800000000000000077017Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_inputs_app\readme.txt2021-06-04 14:29:18.531 11241100x800000000000000077016Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_deploymentclient_app\readme.txt2021-06-04 14:29:18.531 11241100x800000000000000077015Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\sysmon_inputs_app\readme.txt2021-06-04 14:29:18.531 11241100x800000000000000077014Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.516{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\readme.txt2021-06-04 09:11:40.397 23542300x800000000000000077013Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.516{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README.txtMD5=ECEA768F3FF9BD72BB005EC092E3FEA5,SHA256=2B13F84099FA126A855073949421F2CE023A7700637E1568255CAF5D0AF239A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077012Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\readme.txt2021-06-04 14:29:18.500 11241100x800000000000000077011Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\readme.txt2021-06-04 14:29:18.500 11241100x800000000000000077010Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\readme.txt2021-06-04 14:29:18.500 11241100x800000000000000077009Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\search\readme.txt2021-06-04 14:29:18.500 11241100x800000000000000077008Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\powershell_inputs_app\readme.txt2021-06-04 14:29:18.500 11241100x800000000000000077007Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\learned\readme.txt2021-06-04 14:29:18.485 11241100x800000000000000077006Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\readme.txt2021-06-04 14:29:18.485 11241100x800000000000000077005Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\attack_simulation_inputs_app\readme.txt2021-06-04 14:29:18.485 11241100x800000000000000077004Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\ssl\misc\readme.txt2021-06-04 14:29:18.469 11241100x800000000000000077003Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\ssl\certs\readme.txt2021-06-04 14:29:18.438 11241100x800000000000000077002Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\readme.txt2021-06-04 14:29:18.438 11241100x800000000000000077001Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.438{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\terminfo\readme.txt2021-06-04 14:29:18.438 11241100x800000000000000077000Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\tabset\readme.txt2021-06-04 14:29:18.406 11241100x800000000000000076999Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\pki\readme.txt2021-06-04 14:29:18.406 11241100x800000000000000076998Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\readme.txt2021-06-04 14:29:18.406 11241100x800000000000000076997Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.391{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\p11-kit\readme.txt2021-06-04 14:29:18.391 11241100x800000000000000076996Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.125{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\nano\readme.txt2021-06-04 14:29:18.125 11241100x800000000000000076995Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.063{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\misc\readme.txt2021-06-04 14:29:18.063 11241100x800000000000000076994Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\mintty\readme.txt2021-06-04 14:29:18.047 11241100x800000000000000076993Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\makepkg\readme.txt2021-06-04 14:29:18.047 11241100x800000000000000076992Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\readme.txt2021-06-04 14:29:18.047 11241100x800000000000000076991Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\readme.txt2021-06-04 14:29:18.047 11241100x800000000000000076990Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gtk-doc\readme.txt2021-06-04 14:29:18.047 23542300x800000000000000076989Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:18.003{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5DC1FECFE2B6886767634B2E4F5706,SHA256=CD30A89A8C6E60330F35940F04FCD5505E3335A7F20D96B49C3354493E6A162D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079296Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:19.605{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079295Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:19.605{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18F8D580B388200774DF10A8ADBB7A6,SHA256=08D5880457731FCCC0D7CD165F819AB5827A5258D8A3D72CBA029BB7C5C18B2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077055Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.891{89999F75-38BF-60BA-F80D-00000000C401}51123656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077054Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.875{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\log\splunk\readme.txt2021-06-04 14:29:19.875 11241100x800000000000000077053Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\log\introspection\readme.txt2021-06-04 14:29:19.828 11241100x800000000000000077052Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\readme.txt2021-06-04 14:29:19.828 10341000x800000000000000077051Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38BF-60BA-F80D-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077050Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077049Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077048Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077047Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077046Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077045Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077044Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077043Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077042Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077041Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-38BF-60BA-F80D-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077040Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.703{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38BF-60BA-F80D-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077039Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.704{89999F75-38BF-60BA-F80D-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077038Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\share\splunk\3rdparty\readme.txt2021-06-04 14:29:19.500 11241100x800000000000000077037Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\cmake\libmongoc-static-1.0\readme.txt2021-06-04 14:29:19.485 11241100x800000000000000077036Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\cmake\libmongoc-1.0\readme.txt2021-06-04 14:29:19.469 11241100x800000000000000077035Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.469{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\cmake\libbson-static-1.0\readme.txt2021-06-04 14:29:19.469 11241100x800000000000000077034Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.453{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\lib\cmake\libbson-1.0\readme.txt2021-06-04 14:29:19.453 11241100x800000000000000077033Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.422{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\system\static\readme.txt2021-06-04 14:29:19.422 23542300x800000000000000077032Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:19.281{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE48388FDA80F7DD22763C9CE0479DC5,SHA256=EE3B088EFD869A33497692C58075009B9A24E1CB420FB7FF1119A72D578DE832,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079303Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.874{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079302Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.874{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D6A369189BC90A04B8BAA21902A00C6,SHA256=1E1B5D315A19BF0F6B5259F8213359C44610D2C0956F1A4E3184E9734901B723,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079301Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.874{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079300Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.874{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079299Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.656{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079298Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:20.656{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50402EF68A6708140C513FE8E6BBEDAE,SHA256=1EF7033476A5272EE4675E7EDAC295177A75E4CBBF542126894ABEC1E3D31149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077074Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.703{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF0BA7DE9029F617D8C7F1F9AF0D100,SHA256=131530B1C03CCCC05B631FB221C73F297C1979E0DFC5569959C2127D1FB948EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077073Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.703{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCB90D354FA6EB5BF1B39A02B78105F,SHA256=22F40F8DACE3FAC38802CF41E0CE9E9F2D5867CB1E078C0E22C6CEADFE6CF92F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077072Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C0-60BA-F90D-00000000C401}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077071Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077070Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077069Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077068Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077067Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077066Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077065Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077064Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077063Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077062Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EECD-60B9-0500-00000000C401}408412C:\Windows\system32\csrss.exe{89999F75-38C0-60BA-F90D-00000000C401}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077061Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.375{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C0-60BA-F90D-00000000C401}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077060Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.378{89999F75-38C0-60BA-F90D-00000000C401}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077059Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.297{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AE1B5FDB5F9D869B7CD2CB21ED3563,SHA256=7D2641386B5D21D0779450B882872B7A54DFB0D0E8900BD25013A99E8DCF7DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079297Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:17.888{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077058Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk_stream_deployment\readme.txt2021-06-04 14:29:20.110 11241100x800000000000000077057Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\readme.txt2021-06-04 14:29:20.078 11241100x800000000000000077056Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:20.063{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\log\watchdog\readme.txt2021-06-04 14:29:20.063 11241100x800000000000000079305Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:21.687{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079304Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:21.687{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E025F94D282430489B542593AE9833CE,SHA256=E8B340FE539194A9D736E5FA57C011D7B1A224CDDF332879F17B1B36035EAD7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077105Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.969{89999F75-38C1-60BA-FB0D-00000000C401}39523608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077104Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C1-60BA-FB0D-00000000C401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077103Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077102Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077101Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077100Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077099Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077098Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077097Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077096Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077095Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077094Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-38C1-60BA-FB0D-00000000C401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077093Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.828{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C1-60BA-FB0D-00000000C401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077092Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.829{89999F75-38C1-60BA-FB0D-00000000C401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000077091Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.500{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\Net35\readme.txt2021-06-04 14:29:21.500 11241100x800000000000000077090Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\readme.txt2021-06-04 14:29:21.485 11241100x800000000000000077089Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\spool\dirmoncache\readme.txt2021-06-04 14:29:21.485 23542300x800000000000000077088Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.422{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB8A3789AAD69CD92B71B5C1C013CEF,SHA256=1F9E3E5A4A1B48BEF47B8A11DCD391D992F4AFFC7F38456F5CA032439BCA21AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077087Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C1-60BA-FA0D-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077086Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077085Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077084Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077083Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077082Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077081Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077080Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077079Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077078Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-38C1-60BA-FA0D-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077077Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077076Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.047{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C1-60BA-FA0D-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077075Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.048{89999F75-38C1-60BA-FA0D-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079307Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:22.702{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079306Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:22.702{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8EC156AFFDABF45154F61CA3BFDF17,SHA256=6C4E2E7CEEA4A746121077B81C9CA6572CF8C30EB46E3DB906653167C1FBD9F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077146Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.781{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\readme.txt2021-06-04 14:29:22.781 11241100x800000000000000077145Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.766{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\readme.txt2021-06-04 14:29:22.766 11241100x800000000000000077144Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.766{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\readme.txt2021-06-04 14:29:22.766 11241100x800000000000000077143Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.750{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\notepadplusplus.install\tools\readme.txt2021-06-04 14:29:22.750 11241100x800000000000000077142Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.735{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\notepadplusplus.install\legal\readme.txt2021-06-04 14:29:22.735 11241100x800000000000000077141Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.719{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\notepadplusplus\tools\readme.txt2021-06-04 14:29:22.719 11241100x800000000000000077140Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.703{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\git.install\tools\readme.txt2021-06-04 14:29:22.703 11241100x800000000000000077139Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.688{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\git.install\legal\readme.txt2021-06-04 14:29:22.688 11241100x800000000000000077138Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.656{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\Firefox\tools\readme.txt2021-06-04 14:29:22.656 10341000x800000000000000077137Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.656{89999F75-38C2-60BA-FC0D-00000000C401}50281144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077136Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.594{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\chocolatey-core.extension\extensions\readme.txt2021-06-04 14:29:22.594 11241100x800000000000000077135Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.578{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\7zip.install\tools\readme.txt2021-06-04 14:29:22.578 11241100x800000000000000077134Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\chocolatey\lib\7zip.install\legal\readme.txt2021-06-04 14:29:22.563 11241100x800000000000000077133Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Logs\audits\readme.txt2021-06-04 14:29:22.563 11241100x800000000000000077132Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\Locks\Packages\readme.txt2021-06-04 14:29:22.563 11241100x800000000000000077131Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\LocalCommands\Completed\readme.txt2021-06-04 14:29:22.563 23542300x800000000000000077130Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0938FE7E8E6A1B2D36550D1CDB9842,SHA256=C7AACD8DB7311D94929918651499D4F1E1B4483586341D4F1AA4EEF392FDC847,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077129Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.563{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\InstanceData\i-0b5c8a9a79bf907bd\readme.txt2021-06-04 14:29:22.547 11241100x800000000000000077128Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.547{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\Ole DB\en-US\readme.txt2021-06-04 14:29:22.547 11241100x800000000000000077127Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\msadc\en-US\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077126Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\System\ado\en-US\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077125Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077124Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077123Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077122Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\readme.txt2021-06-04 14:29:22.531 11241100x800000000000000077121Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.531{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\readme.txt2021-06-04 14:29:22.531 10341000x800000000000000077120Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C2-60BA-FC0D-00000000C401}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077119Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-38C2-60BA-FC0D-00000000C401}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077118Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077117Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077116Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077115Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077114Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077113Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077112Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077111Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077110Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077109Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.500{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C2-60BA-FC0D-00000000C401}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077108Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.501{89999F75-38C2-60BA-FC0D-00000000C401}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077107Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.078{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF0BA7DE9029F617D8C7F1F9AF0D100,SHA256=131530B1C03CCCC05B631FB221C73F297C1979E0DFC5569959C2127D1FB948EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077106Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:22.047{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\Net45\readme.txt2021-06-04 14:29:22.047 11241100x800000000000000079309Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:23.734{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079308Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:23.734{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44525446C6FD3DEDEF73D02D5C939E08,SHA256=C48113779B3D26F5D5B566599FBA970133AEF252A39D91E8A796587AACE77C4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077175Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:23.922{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\ConnectedDevicesPlatform\readme.txt2021-06-04 14:29:23.922 11241100x800000000000000077174Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:23.922{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Comms\readme.txt2021-06-04 14:29:23.922 11241100x800000000000000077173Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:23.922{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\AWSToolkit\readme.txt2021-06-04 14:29:23.922 11241100x800000000000000077172Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\NuGet\readme.txt2021-06-04 14:29:23.906 11241100x800000000000000077171Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Notepad++\readme.txt2021-06-04 14:29:23.906 11241100x800000000000000077170Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.906{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\readme.txt2021-06-04 14:29:23.906 11241100x800000000000000077169Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Adobe\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077168Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\LocalLow\Microsoft\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077167Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\TileDataLayer\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077166Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Programs\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077165Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\PeerDistRepub\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077164Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\readme.txt2021-06-04 14:29:23.891 11241100x800000000000000077163Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.875{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\NuGet\readme.txt2021-06-04 14:29:23.875 11241100x800000000000000077162Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.875{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\readme.txt2021-06-04 14:29:23.875 354300x800000000000000077161Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:21.363{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077160Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.688{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\ConnectedDevicesPlatform\readme.txt2021-06-04 14:29:23.688 11241100x800000000000000077159Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.688{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Comms\readme.txt2021-06-04 14:29:23.688 11241100x800000000000000077158Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.672{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\AWSToolkit\readme.txt2021-06-04 14:29:23.672 11241100x800000000000000077157Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.641{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{EECDD137-13DA-46ED-ADA0-BDF7F8BE65B8}v14.28.29913\packages\vcRuntimeMinimum_amd64\readme.txt2021-06-04 14:29:23.641 23542300x800000000000000077156Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.610{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5320537905F46E3D278E7E17F4E7CD08,SHA256=6C0A8B0A79A1E6BBD822474AAFD2B067B6DE496994CD7E3212A2E8EBD07FF9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077155Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.563{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D55CE90A8B6BEA01F3DC5F7F99D81DE8,SHA256=DD876E7DDD0C395EA0F0D23B61B39E7AC3EA743903A16D47BB4B6AAD7EE214AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077154Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.453{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Package Cache\{620A7633-7A09-42A8-8580-076A4483C4B0}v14.28.29913\packages\vcRuntimeAdditional_amd64\readme.txt2021-06-04 14:29:23.453 11241100x800000000000000077153Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.422{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\readme.txt2021-06-04 14:29:23.422 11241100x800000000000000077152Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.422{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\readme.txt2021-06-04 14:29:23.422 11241100x800000000000000077151Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.406{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\readme.txt2021-06-04 14:29:23.406 11241100x800000000000000077150Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.375{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\readme.txt2021-06-04 14:29:23.375 11241100x800000000000000077149Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.328{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\readme.txt2021-06-04 14:29:23.328 11241100x800000000000000077148Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.313{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\readme.txt2021-06-04 14:29:23.313 11241100x800000000000000077147Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:23.281{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\readme.txt2021-06-04 14:29:23.281 11241100x800000000000000079312Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:24.765{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079311Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:24.765{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63A33050AA334410210E85792286A2C,SHA256=7DA5966F8DA631748CF3CBEAB53A7EAFE48A8DAB034E47C4DCD8D270B71A14F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077217Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.969{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\msgs\readme.txt2021-06-04 14:29:24.969 11241100x800000000000000077216Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.938{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\http1.0\readme.txt2021-06-04 14:29:24.938 23542300x800000000000000077215Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.891{89999F75-EEE0-60B9-2D00-00000000C401}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\readme.txtMD5=B87B63355379F17BB06A2570C8D88B04,SHA256=284959ED3F68FB912CB141EF31B4AD4B53147BD1082EC1ED83BD08AF729D09D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077214Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.829{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077D561B077EF34C392BB96A13FA0408,SHA256=30C0011C9A085D7F0A7FE3F4AE6C4B4380345E9052A5AC142359514D84A0F608,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079310Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:22.892{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000077213Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C4-60BA-FD0D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077212Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077211Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077210Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077209Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077208Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077207Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077206Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077205Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077204Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077203Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EECD-60B9-0500-00000000C401}408424C:\Windows\system32\csrss.exe{89999F75-38C4-60BA-FD0D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077202Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.594{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C4-60BA-FD0D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077201Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.595{89999F75-38C4-60BA-FD0D-00000000C401}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077200Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.563{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077199Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.563{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077198Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.563{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1500-00000000C401}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000077197Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.297{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\encoding\readme.txt2021-06-04 14:29:24.297 11241100x800000000000000077196Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.281{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\8.6\readme.txt2021-06-04 14:29:24.281 11241100x800000000000000077195Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.266{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\8.5\readme.txt2021-06-04 14:29:24.266 11241100x800000000000000077194Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.250{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\8.4\readme.txt2021-06-04 14:29:24.250 11241100x800000000000000077193Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.250{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\etc\pki\ca-trust\readme.txt2021-06-04 14:29:24.250 11241100x800000000000000077192Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.250{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\ca-trust\extracted\readme.txt2021-06-04 14:29:24.250 11241100x800000000000000077191Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.219{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\readme.txt2021-06-04 14:29:24.219 11241100x800000000000000077190Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.219{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\readme.txt2021-06-04 14:29:24.219 11241100x800000000000000077189Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.219{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\readme.txt2021-06-04 14:29:24.219 11241100x800000000000000077188Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.203{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\readme.txt2021-06-04 14:29:24.203 11241100x800000000000000077187Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.203{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\readme.txt2021-06-04 14:29:24.203 11241100x800000000000000077186Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.188{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\readme.txt2021-06-04 14:29:24.188 11241100x800000000000000077185Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.125{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\readme.txt2021-06-04 14:29:24.125 11241100x800000000000000077184Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\readme.txt2021-06-04 14:29:24.110 11241100x800000000000000077183Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.110{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\readme.txt2021-06-04 14:29:24.110 11241100x800000000000000077182Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077181Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077180Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Adobe\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077179Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\LocalLow\Microsoft\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077178Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\TileDataLayer\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077177Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.094{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\readme.txt2021-06-04 14:29:24.094 11241100x800000000000000077176Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:24.078{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\readme.txt2021-06-04 14:29:24.078 11241100x800000000000000079314Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:25.812{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079313Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:25.812{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC481CA82B5F7730BEC29C4F967EDB8,SHA256=75662FA332BA8564EFC96D955F4139AA8EABC2D9AD80E52F96669193B9C3767D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077235Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.860{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162698FD981607D671DC42646A6BF85F,SHA256=5D4334AF0382D8D44DC6D52F895559163680728837D8402627D541D51A261F54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077234Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.844{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\readme.txt2021-06-04 14:29:25.844 11241100x800000000000000077233Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\opt0.4\readme.txt2021-06-04 14:29:25.828 23542300x800000000000000077232Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.813{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEA42918963B09C4E36C4F4C19053B90,SHA256=D3E6F88431F4524545A7B2EC8B41F65952AB695D81C2A53C6C0B5C7594F2D9A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077231Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.297{89999F75-38C5-60BA-FE0D-00000000C401}49803024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077230Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EEE1-60B9-3700-00000000C401}34083428C:\Windows\system32\conhost.exe{89999F75-38C5-60BA-FE0D-00000000C401}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077229Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077228Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077227Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077226Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077225Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077224Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077223Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077222Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077221Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECF-60B9-0C00-00000000C401}8444968C:\Windows\system32\svchost.exe{89999F75-EEE0-60B9-2C00-00000000C401}2964C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077220Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EECD-60B9-0500-00000000C401}408524C:\Windows\system32\csrss.exe{89999F75-38C5-60BA-FE0D-00000000C401}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077219Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.094{89999F75-EEE0-60B9-2D00-00000000C401}29803556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89999F75-38C5-60BA-FE0D-00000000C401}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077218Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:25.095{89999F75-38C5-60BA-FE0D-00000000C401}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89999F75-EECE-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{89999F75-EEE0-60B9-2D00-00000000C401}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079316Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:26.968{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079315Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:26.968{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E52E9498F4828127057784876F87A5,SHA256=930910B33A2BC77CC804570B2DA49D51CC1D0D7EBD7A3B757F51512759B41772,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077242Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:26.940{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\ttk\readme.txt2021-06-04 14:29:26.940 23542300x800000000000000077241Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:26.862{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0713686C2681D16ABC1DD5EABB34A9A,SHA256=4910D8944E6F396DA36DCCCFE82EB79F3F69155AC6D02BFC3EA04B4D07CE4F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077240Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.472{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50705-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 354300x800000000000000077239Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:24.472{89999F75-EEE0-60B9-2800-00000000C401}2932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-392.attackrange.local50705-true0:0:0:0:0:0:0:1win-dc-392.attackrange.local389ldap 11241100x800000000000000077238Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:26.828{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\msgs\readme.txt2021-06-04 14:29:26.828 11241100x800000000000000077237Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:26.735{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\images\readme.txt2021-06-04 14:29:26.735 11241100x800000000000000077236Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:26.219{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\demos\readme.txt2021-06-04 14:29:26.219 11241100x800000000000000079318Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:27.984{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079317Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:27.984{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B77BF678C36A98D6475F6CC49E90CE,SHA256=EF91EDCC08A9C70DA60C5BB6DAA683481DE1E24DAB07C549275E17B31A949D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077247Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.865{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178A9B114D7115CC48D3927D50F11F0B,SHA256=5EEE8702D2336EB3C6D8F1244F3392516A90391CAA41D820AFBAAB17D10EF379,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077246Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.315{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\git-doc\readme.txt2021-06-04 14:29:27.315 11241100x800000000000000077245Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.284{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\expat\readme.txt2021-06-04 14:29:27.284 11241100x800000000000000077244Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.268{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\connect\readme.txt2021-06-04 14:29:27.268 11241100x800000000000000077243Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.112{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\libexec\git-core\mergetools\readme.txt2021-06-04 14:29:27.112 11241100x800000000000000079320Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:28.437{3F3E08E7-F094-60B9-1100-00000000C501}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-06-04 09:21:24.810 23542300x800000000000000079319Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:28.437{3F3E08E7-F094-60B9-1100-00000000C501}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=29A722D607918541149227B994EC472A,SHA256=A9F7EF9B1BE1C679406FB0E372ABA4D71F6DE55DE12EB69B61794AA7E9BC5EE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077249Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:28.959{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\gnutls\readme.txt2021-06-04 14:29:28.959 11241100x800000000000000077248Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:28.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\git-lfs\readme.txt2021-06-04 14:29:28.943 11241100x800000000000000077282Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\Git\readme.txt2021-06-04 14:29:29.943 11241100x800000000000000077281Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\FromCPAN\readme.txt2021-06-04 14:29:29.943 11241100x800000000000000077280Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.928{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\zstd\readme.txt2021-06-04 14:29:29.928 11241100x800000000000000077279Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.928{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\zlib\readme.txt2021-06-04 14:29:29.928 11241100x800000000000000077278Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.896{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\xz\readme.txt2021-06-04 14:29:29.896 11241100x800000000000000077277Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.881{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\wineditline\readme.txt2021-06-04 14:29:29.881 11241100x800000000000000077276Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.881{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\pcre2\readme.txt2021-06-04 14:29:29.865 11241100x800000000000000077275Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.865{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\pcre\readme.txt2021-06-04 14:29:29.865 11241100x800000000000000077274Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.850{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\openssl\readme.txt2021-06-04 14:29:29.850 11241100x800000000000000077273Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.834{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libzip\readme.txt2021-06-04 14:29:29.834 11241100x800000000000000077272Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.834{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libwinpthread\readme.txt2021-06-04 14:29:29.834 11241100x800000000000000077271Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.803{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libunistring\readme.txt2021-06-04 14:29:29.803 11241100x800000000000000077270Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.803{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libtre\readme.txt2021-06-04 14:29:29.803 11241100x800000000000000077269Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.787{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libtasn1\readme.txt2021-06-04 14:29:29.787 11241100x800000000000000077268Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.787{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libsystre\readme.txt2021-06-04 14:29:29.787 11241100x800000000000000077267Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.771{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libssh2\readme.txt2021-06-04 14:29:29.771 11241100x800000000000000077266Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.740{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libiconv\readme.txt2021-06-04 14:29:29.740 11241100x800000000000000077265Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.740{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libffi\readme.txt2021-06-04 14:29:29.740 11241100x800000000000000077264Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.724{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\jemalloc\readme.txt2021-06-04 14:29:29.724 11241100x800000000000000077263Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.724{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\gettext\readme.txt2021-06-04 14:29:29.724 354300x800000000000000077262Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:27.337{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077261Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.693{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\gcc-libs\readme.txt2021-06-04 14:29:29.693 11241100x800000000000000077260Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.678{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\expat\readme.txt2021-06-04 14:29:29.678 11241100x800000000000000077259Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.678{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\bzip2\readme.txt2021-06-04 14:29:29.678 11241100x800000000000000077258Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.662{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\brotli\readme.txt2021-06-04 14:29:29.662 11241100x800000000000000077257Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\git-gui\lib\readme.txt2021-06-04 14:29:29.349 11241100x800000000000000077256Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.321{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\git\completion\readme.txt2021-06-04 14:29:29.321 11241100x800000000000000077255Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.240{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\gettext-0.19.8\its\readme.txt2021-06-04 14:29:29.240 11241100x800000000000000077254Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\xz\readme.txt2021-06-04 14:29:29.162 11241100x800000000000000077253Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.146{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\nghttp2\readme.txt2021-06-04 14:29:29.146 23542300x800000000000000077252Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.086{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3A9E97BA20B52A44D0D3D80855DEFD,SHA256=758DE323D6A55C33955EC51121956958C3625EF942B7265E68EE212D98B464E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079323Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:27.938{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079322Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:28.999{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079321Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:28.999{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2E3D3818EF6A49967C98364DB4CFE5,SHA256=97A614D26B6914E59DEED25962F1DBC9BC714EF20018D38E8DF002192718B23C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077251Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.068{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\mpfr\readme.txt2021-06-04 14:29:29.068 11241100x800000000000000077250Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.053{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\jemalloc\readme.txt2021-06-04 14:29:29.053 11241100x800000000000000077292Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.584{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8.6\encoding\readme.txt2021-06-04 14:29:30.584 11241100x800000000000000077291Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.553{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\8.6\readme.txt2021-06-04 14:29:30.553 11241100x800000000000000077290Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.537{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\8.5\readme.txt2021-06-04 14:29:30.537 11241100x800000000000000077289Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.537{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\8.4\readme.txt2021-06-04 14:29:30.537 11241100x800000000000000077288Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.521{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\readme.txt2021-06-04 14:29:30.521 23542300x800000000000000077287Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.115{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD848DAC99CBA13E6D404ED84633EB2A,SHA256=1FFC18F774AED69584C811DB6D1D50C9084CDCEA2765C826935704CA48465CF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079325Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:30.015{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079324Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:30.015{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C4EA5AC2D7D3040FE9C9EA2585B5EE,SHA256=1B5B87519C1306B0009520434A32682C0B9FEBF032C79C488F7ED8C0B683FFDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077286Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.053{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\readme.txt2021-06-04 14:29:30.053 11241100x800000000000000077285Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.037{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\openssl\engines-1.1\readme.txt2021-06-04 14:29:30.037 11241100x800000000000000077284Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.006{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\pki\ca-trust-source\readme.txt2021-06-04 14:29:30.006 11241100x800000000000000077283Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:29.990{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\pki\ca-trust-legacy\readme.txt2021-06-04 14:29:29.990 11241100x800000000000000079327Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:31.031{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079326Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:31.031{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712A043F65E1C11CFC95D1FBA1101C41,SHA256=D519C58A07904A309766DB5E7A6CB2249DA9B70773A9E569C7EF6B11CB6F63F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077314Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.209{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077313Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.209{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077312Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.209{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077311Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.209{89999F75-EECE-60B9-0B00-00000000C401}6241928C:\Windows\system32\lsass.exe{89999F75-EECB-60B9-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x800000000000000077310Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8.6\msgs\readme.txt2021-06-04 14:29:31.162 11241100x800000000000000077309Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.146{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8.6\http1.0\readme.txt2021-06-04 14:29:31.146 23542300x800000000000000077308Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.131{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94523628B61CF81FDFFEBDC80179D3E3,SHA256=B13596DD6383F94E50DFD94458A689A799A31A17B9C1477839F33E6BEF6C27B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077307Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077306Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077305Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077304Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077303Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077302Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077301Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077300Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077299Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077298Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077297Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077296Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077295Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077294Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077293Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:31.099{89999F75-EECF-60B9-0C00-00000000C401}8442164C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1400-00000000C401}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000079329Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:32.046{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079328Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:32.046{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2815038DDBDD473BD35199C0A9D158,SHA256=26368B2F2FA41FD0064935F4FEE7886786F1B17EBAA880BEC525A36CFD055588,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077328Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.388{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50709-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000077327Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.388{89999F75-EECB-60B9-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50709-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local445microsoft-ds 354300x800000000000000077326Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.289{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-392.attackrange.local50708-false10.0.1.14win-dc-392.attackrange.local389ldap 354300x800000000000000077325Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.289{89999F75-EED0-60B9-1600-00000000C401}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50708-false10.0.1.14win-dc-392.attackrange.local389ldap 354300x800000000000000077324Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.280{89999F75-EECE-60B9-0B00-00000000C401}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50707-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 354300x800000000000000077323Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:30.280{89999F75-EED0-60B9-1600-00000000C401}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local50707-truefe80:0:0:0:3c4a:8b18:68f0:a4d8win-dc-392.attackrange.local389ldap 11241100x800000000000000077322Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.459{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\terminfo\78\readme.txt2021-06-04 14:29:32.459 23542300x800000000000000077321Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6762E9934085FD1123CF2734F0EDA99D,SHA256=7775196927E98D8881B9236113D9A0C3A2606284A3ADE6E8AFADEB449FC81BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077320Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.146{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C264F12EE73B017A1E8E91D6E1828C,SHA256=08C7D5CE0550C073152883DDBDD7F95F5722ACC377247FF8E38887725824EA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077319Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.146{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C930180A049B1E5FC8ACA9B32E2860C6,SHA256=B167FB062DE41C06E6EB4E65528102EBA7B9D7F70EF5B13FE6F5C5DEEA628862,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077318Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.099{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\terminfo\73\readme.txt2021-06-04 14:29:32.099 11241100x800000000000000077317Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.099{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\terminfo\64\readme.txt2021-06-04 14:29:32.084 11241100x800000000000000077316Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.084{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\terminfo\63\readme.txt2021-06-04 14:29:32.084 11241100x800000000000000077315Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.068{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8.6\opt0.4\readme.txt2021-06-04 14:29:32.068 11241100x800000000000000077370Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.693{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\readme.txt2021-06-04 14:29:33.693 11241100x800000000000000077369Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.693{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\p11-kit\modules\readme.txt2021-06-04 14:29:33.693 11241100x800000000000000077368Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.631{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\nano\extra\readme.txt2021-06-04 14:29:33.631 11241100x800000000000000077367Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.568{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\mintty\themes\readme.txt2021-06-04 14:29:33.568 11241100x800000000000000077366Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.459{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\mintty\lang\readme.txt2021-06-04 14:29:33.459 11241100x800000000000000077365Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.443{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\makepkg\lint_package\readme.txt2021-06-04 14:29:33.443 11241100x800000000000000077364Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.443{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\zlib\readme.txt2021-06-04 14:29:33.443 11241100x800000000000000077363Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.427{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\vim\readme.txt2021-06-04 14:29:33.427 11241100x800000000000000077362Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.427{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\unzip\readme.txt2021-06-04 14:29:33.427 11241100x800000000000000077361Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.412{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\tcl\readme.txt2021-06-04 14:29:33.412 11241100x800000000000000077360Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.396{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\perl-Try-Tiny\readme.txt2021-06-04 14:29:33.396 11241100x800000000000000077359Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.381{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\perl-TermReadKey\readme.txt2021-06-04 14:29:33.381 11241100x800000000000000077358Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.381{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\perl-Net-SSLeay\readme.txt2021-06-04 14:29:33.381 11241100x800000000000000077357Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\p11-kit\readme.txt2021-06-04 14:29:33.365 11241100x800000000000000077356Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\openssl\readme.txt2021-06-04 14:29:33.365 11241100x800000000000000077355Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\openssh\readme.txt2021-06-04 14:29:33.349 11241100x800000000000000077354Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\ncurses\readme.txt2021-06-04 14:29:33.349 11241100x800000000000000077353Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\mintty\readme.txt2021-06-04 14:29:33.318 11241100x800000000000000077352Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libxslt\readme.txt2021-06-04 14:29:33.302 11241100x800000000000000077351Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libxml2\readme.txt2021-06-04 14:29:33.302 11241100x800000000000000077350Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libssh2\readme.txt2021-06-04 14:29:33.287 23542300x800000000000000077349Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.287{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D465AD4C46B746651835F025E86203,SHA256=92A28A33643591725430E702335A9798323BFADB1454D7ABEC46E302929F46B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077348Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libsqlite\readme.txt2021-06-04 14:29:33.287 10341000x800000000000000079347Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38CD-60BA-3C0D-00000000C501}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079346Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079345Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079344Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079343Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079342Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-38CD-60BA-3C0D-00000000C501}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079341Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38CD-60BA-3C0D-00000000C501}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079340Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.984{3F3E08E7-38CD-60BA-3C0D-00000000C501}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079339Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38CD-60BA-3B0D-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079338Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079337Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079336Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079335Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079334Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-38CD-60BA-3B0D-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079333Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38CD-60BA-3B0D-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079332Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.312{3F3E08E7-38CD-60BA-3B0D-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079331Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.062{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079330Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:33.062{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0794AD63AFD54A9A4AEEDD9CE7A52116,SHA256=65F6B0E7D3188BD713607C74575072382637BDF27D8E48FE1B2446FA35CE6E5C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077347Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.271{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libsasl\readme.txt2021-06-04 14:29:33.271 11241100x800000000000000077346Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.271{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libpsl\readme.txt2021-06-04 14:29:33.271 11241100x800000000000000077345Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libnghttp2\readme.txt2021-06-04 14:29:33.256 11241100x800000000000000077344Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libksba\readme.txt2021-06-04 14:29:33.256 11241100x800000000000000077343Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.209{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libffi\readme.txt2021-06-04 14:29:33.209 11241100x800000000000000077342Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.209{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libedit\readme.txt2021-06-04 14:29:33.209 11241100x800000000000000077341Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.193{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\libassuan\readme.txt2021-06-04 14:29:33.193 11241100x800000000000000077340Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.193{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\gcc-libs\readme.txt2021-06-04 14:29:33.193 11241100x800000000000000077339Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.177{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\file\readme.txt2021-06-04 14:29:33.177 11241100x800000000000000077338Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\expat\readme.txt2021-06-04 14:29:33.162 11241100x800000000000000077337Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\licenses\dos2unix\readme.txt2021-06-04 14:29:33.162 11241100x800000000000000077336Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\locolor\readme.txt2021-06-04 14:29:33.162 11241100x800000000000000077335Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\hicolor\readme.txt2021-06-04 14:29:33.162 11241100x800000000000000077334Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.146{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gtk-doc\html\readme.txt2021-06-04 14:29:33.146 11241100x800000000000000077333Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.146{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\glib-2.0\schemas\readme.txt2021-06-04 14:29:33.146 11241100x800000000000000077332Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.131{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\glib-2.0\gdb\readme.txt2021-06-04 14:29:33.131 11241100x800000000000000077331Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.131{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gdb\auto-load\readme.txt2021-06-04 14:29:33.131 11241100x800000000000000077330Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.115{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\fish\vendor_conf.d\readme.txt2021-06-04 14:29:33.115 11241100x800000000000000077329Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.006{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\bash-completion\completions\readme.txt2021-06-04 14:29:33.006 354300x800000000000000077379Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:32.368{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077378Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.818{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\terminfo\78\readme.txt2021-06-04 14:29:34.818 23542300x800000000000000077377Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.521{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C734A2EA3513F1DB17EA555F9896C056,SHA256=3508552CED931BFB485A07AFFF8EEF5402C5D6A32578CFC50E093A1B88EA0809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079362Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.781{3F3E08E7-38CE-60BA-3D0D-00000000C501}59364492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079361Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38CE-60BA-3D0D-00000000C501}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079360Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079359Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079358Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-F094-60B9-0C00-00000000C501}728208C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079357Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079356Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-38CE-60BA-3D0D-00000000C501}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079355Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38CE-60BA-3D0D-00000000C501}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079354Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.656{3F3E08E7-38CE-60BA-3D0D-00000000C501}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079353Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.359{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079352Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.359{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296790B9201C1E7767932C13AE83AC74,SHA256=FF2FE62E1265BAE87A5EFEC44F9C8895E95393F4EF472C5AC897B30A0C1B5132,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079351Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.359{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079350Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.359{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08F335BF93950D189AA6C79CCA3A3993,SHA256=4DBF696B732275251DB0A8EF06456A41BC7A79B48A03F114CEB45C223D964906,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079349Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.077{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079348Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.077{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F8950707F29A0329F604ABC3EF4C70,SHA256=B98BA73278362C43D94A31D3021B9C66F20EA2433CB527C51BBF23ABCFAC1907,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077376Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.381{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\terminfo\73\readme.txt2021-06-04 14:29:34.381 11241100x800000000000000077375Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\terminfo\64\readme.txt2021-06-04 14:29:34.365 11241100x800000000000000077374Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\terminfo\63\readme.txt2021-06-04 14:29:34.349 11241100x800000000000000077373Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.334{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\pki\ca-trust-source\readme.txt2021-06-04 14:29:34.334 11241100x800000000000000077372Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\pki\ca-trust-legacy\readme.txt2021-06-04 14:29:34.302 11241100x800000000000000077371Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:34.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\readme.txt2021-06-04 14:29:34.256 11241100x800000000000000077399Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\default\readme.txt2021-06-04 14:29:35.943 11241100x800000000000000077398Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\data\readme.txt2021-06-04 14:29:35.943 11241100x800000000000000077397Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\darwin_x86_64\readme.txt2021-06-04 14:29:35.943 11241100x800000000000000077396Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.943{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\configs\readme.txt2021-06-04 14:29:35.943 11241100x800000000000000077395Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.912{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\readme.txt2021-06-04 14:29:35.912 11241100x800000000000000077394Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.912{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\readme.txt2021-06-04 14:29:35.912 11241100x800000000000000077393Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.896{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\metadata\readme.txt2021-06-04 14:29:35.896 11241100x800000000000000077392Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.881{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\readme.txt2021-06-04 14:29:35.881 11241100x800000000000000077391Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.802{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\readme.txt2021-06-04 14:29:35.802 11241100x800000000000000077390Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.802{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\search\metadata\readme.txt2021-06-04 14:29:35.802 11241100x800000000000000077389Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.756{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\readme.txt2021-06-04 14:29:35.756 11241100x800000000000000077388Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.756{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\powershell_inputs_app\local\readme.txt2021-06-04 14:29:35.756 11241100x800000000000000077387Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.724{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\learned\metadata\readme.txt2021-06-04 14:29:35.724 11241100x800000000000000077386Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.724{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\readme.txt2021-06-04 14:29:35.724 11241100x800000000000000077385Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.709{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\learned\default\readme.txt2021-06-04 14:29:35.709 11241100x800000000000000077384Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.677{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\readme.txt2021-06-04 14:29:35.677 11241100x800000000000000077383Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.662{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\bin\readme.txt2021-06-04 14:29:35.662 11241100x800000000000000077382Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.646{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\attack_simulation_inputs_app\local\readme.txt2021-06-04 14:29:35.646 23542300x800000000000000077381Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.568{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF7328CFDAC16AF3156F6792D94A3B7,SHA256=4E2F0CF89116D75C571CE5DC1D684AA4F86C0E33C308F16E3FD286F9622A321D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079367Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:34.001{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079366Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:35.889{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079365Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:35.889{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296790B9201C1E7767932C13AE83AC74,SHA256=FF2FE62E1265BAE87A5EFEC44F9C8895E95393F4EF472C5AC897B30A0C1B5132,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079364Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:35.079{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079363Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:35.079{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAE0081AE199F6BF8CC5DDB87C08308,SHA256=23DAAA349F504463D6946EC329B795F894A73159BABB857F5C309B292D7C5C00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077380Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:35.490{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\readme.txt2021-06-04 14:29:35.490 23542300x800000000000000077435Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.834{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34B8D158C324E9EE7826C00AD3E0E48,SHA256=B15AFE60F487B7BA9CF35F8887B72F9AE43877F80AB25D9EEEBDE79607C957F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079378Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.514{3F3E08E7-38D0-60BA-3E0D-00000000C501}53402928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079377Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38D0-60BA-3E0D-00000000C501}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079376Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079375Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079374Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079373Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079372Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-F093-60B9-0500-00000000C501}4161012C:\Windows\system32\csrss.exe{3F3E08E7-38D0-60BA-3E0D-00000000C501}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079371Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38D0-60BA-3E0D-00000000C501}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079370Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.389{3F3E08E7-38D0-60BA-3E0D-00000000C501}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079369Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.092{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079368Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:36.092{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B060E0F42D222931DA7A750C84279E0E,SHA256=05A55D35C2314AB822D49349567FFDE3C69AFC9F818607DF794A06C5517ACD60,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077434Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Comms\UnistoreDB\readme.txt2021-06-04 14:29:36.365 11241100x800000000000000077433Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Comms\Unistore\readme.txt2021-06-04 14:29:36.365 11241100x800000000000000077432Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\readme.txt2021-06-04 14:29:36.349 11241100x800000000000000077431Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\readme.txt2021-06-04 14:29:36.349 11241100x800000000000000077430Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\ProgramData\Amazon\SSM\InstanceData\i-0b5c8a9a79bf907bd\document\readme.txt2021-06-04 14:29:36.349 11241100x800000000000000077429Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\upload\readme.txt2021-06-04 14:29:36.349 11241100x800000000000000077428Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.349{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\search_telemetry\readme.txt2021-06-04 14:29:36.349 11241100x800000000000000077427Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\exec\readme.txt2021-06-04 14:29:36.318 11241100x800000000000000077426Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\csv\readme.txt2021-06-04 14:29:36.318 11241100x800000000000000077425Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver\readme.txt2021-06-04 14:29:36.318 11241100x800000000000000077424Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\log\splunk\opt\readme.txt2021-06-04 14:29:36.318 11241100x800000000000000077423Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\readme.txt2021-06-04 14:29:36.287 11241100x800000000000000077422Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\readme.txt2021-06-04 14:29:36.287 11241100x800000000000000077421Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\hashDb\readme.txt2021-06-04 14:29:36.287 11241100x800000000000000077420Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.273{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\readme.txt2021-06-04 14:29:36.273 11241100x800000000000000077419Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.273{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\authDb\readme.txt2021-06-04 14:29:36.273 11241100x800000000000000077418Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\winparsing\readme.txt2021-06-04 14:29:36.256 11241100x800000000000000077417Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.240{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\wineventlog\readme.txt2021-06-04 14:29:36.240 11241100x800000000000000077416Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.240{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\UDP\readme.txt2021-06-04 14:29:36.240 11241100x800000000000000077415Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.224{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\TCP\readme.txt2021-06-04 14:29:36.224 11241100x800000000000000077414Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.224{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\tailfile\readme.txt2021-06-04 14:29:36.224 11241100x800000000000000077413Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.209{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\structuredparsing\readme.txt2021-06-04 14:29:36.209 11241100x800000000000000077412Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.209{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\RemoteQueue\readme.txt2021-06-04 14:29:36.209 11241100x800000000000000077411Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.193{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\fschangemanager\readme.txt2021-06-04 14:29:36.193 11241100x800000000000000077410Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.193{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\modules\input\exec\readme.txt2021-06-04 14:29:36.193 11241100x800000000000000077409Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.177{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\local\readme.txt2021-06-04 14:29:36.177 11241100x800000000000000077408Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.177{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_inputs_app\local\readme.txt2021-06-04 14:29:36.177 11241100x800000000000000077407Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.162{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\win_deploymentclient_app\local\readme.txt2021-06-04 14:29:36.162 11241100x800000000000000077406Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.146{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\sysmon_inputs_app\local\readme.txt2021-06-04 14:29:36.146 11241100x800000000000000077405Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.131{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\ui\readme.txt2021-06-04 14:29:36.131 11241100x800000000000000077404Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.115{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README\readme.txt2021-06-04 14:29:36.115 11241100x800000000000000077403Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.099{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\metadata\readme.txt2021-06-04 14:29:36.099 11241100x800000000000000077402Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.099{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\lookups\readme.txt2021-06-04 14:29:36.099 11241100x800000000000000077401Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.068{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\local\readme.txt2021-06-04 14:29:36.068 11241100x800000000000000077400Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:36.068{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\linux_x86_64\readme.txt2021-06-04 14:29:36.068 23542300x800000000000000077447Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.849{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C782E8C6AB06053FC76E004590698155,SHA256=9C7C16724FA97B1F361F2BEED6904DCE400C80FF94D57C935D1901CB30DCE296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079403Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38D1-60BA-400D-00000000C501}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079402Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079401Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079400Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079399Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079398Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-38D1-60BA-400D-00000000C501}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079397Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.735{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38D1-60BA-400D-00000000C501}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079396Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.736{3F3E08E7-38D1-60BA-400D-00000000C501}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079395Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.407{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079394Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.407{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A9B9E1F279114E7CA188B200413DB9A,SHA256=89EBEA3689982926B1D5368F1F048A574C1FBAFEBFF2658F669519469DD1D7A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079393Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.298{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079392Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.298{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1D13B4254B7CAF14276F76B4B27DE23C,SHA256=206706A3112713621A22C1DD86F5D193E6E67960EDB988E63834F3C88A3AC771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079391Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.298{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-06-04 09:20:37.026 23542300x800000000000000079390Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.298{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D6A369189BC90A04B8BAA21902A00C6,SHA256=1E1B5D315A19BF0F6B5259F8213359C44610D2C0956F1A4E3184E9734901B723,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079389Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.188{3F3E08E7-38D1-60BA-3F0D-00000000C501}60805660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000079388Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.094{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079387Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.094{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F297D45083ADADEA114C8E4D3E3BD9D,SHA256=336E68E581104AAD5E9B286BC056F54587FA88E0E6A777B637B201BE22648454,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077446Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.396{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\NuGet\Cache\readme.txt2021-06-04 14:29:37.396 11241100x800000000000000077445Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.396{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Vault\readme.txt2021-06-04 14:29:37.396 11241100x800000000000000077444Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.381{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\readme.txt2021-06-04 14:29:37.381 11241100x800000000000000077443Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.381{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\readme.txt2021-06-04 14:29:37.381 11241100x800000000000000077442Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.365{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Media Player\readme.txt2021-06-04 14:29:37.365 11241100x800000000000000077441Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\readme.txt2021-06-04 14:29:37.318 11241100x800000000000000077440Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\InstallAgent\readme.txt2021-06-04 14:29:37.318 11241100x800000000000000077439Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\readme.txt2021-06-04 14:29:37.318 11241100x800000000000000077438Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Feeds\readme.txt2021-06-04 14:29:37.318 11241100x800000000000000077437Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Microsoft\Credentials\readme.txt2021-06-04 14:29:37.302 354300x800000000000000077436Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:33.609{89999F75-EED0-60B9-0F00-00000000C401}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse167.172.181.15610.ent.x64.eval.us-english.gz-s-8vcpu-16gb-fra1-0152661-false10.0.1.14win-dc-392.attackrange.local3389ms-wbt-server 10341000x800000000000000079386Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-38D1-60BA-3F0D-00000000C501}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079385Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079384Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079383Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079382Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079381Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-F093-60B9-0500-00000000C501}416532C:\Windows\system32\csrss.exe{3F3E08E7-38D1-60BA-3F0D-00000000C501}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079380Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.063{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-38D1-60BA-3F0D-00000000C501}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079379Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:37.064{3F3E08E7-38D1-60BA-3F0D-00000000C501}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077456Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.881{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E5D414767DDE2DE1AC650204780C7F,SHA256=C71F938C7E8B63811E629D3D481942C447DB9A7B68967297B99821E9A91215AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079416Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.735{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-06-04 09:21:08.545 23542300x800000000000000079415Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.735{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=605FEAC6377122F0E4567B63B1948C3B,SHA256=0CBC7A1D806D3EE930058B0C4FD64C25968D2F58EDDBC5B5A00D7139E1BF23F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079414Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.532{3F3E08E7-38D2-60BA-410D-00000000C501}27244948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079413Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-02DF-60BA-6706-00000000C501}16124500C:\Windows\system32\conhost.exe{3F3E08E7-3872-60BA-2F0D-00000000C501}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079412Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079411Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079410Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079409Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-F094-60B9-0C00-00000000C501}7281232C:\Windows\system32\svchost.exe{3F3E08E7-01DA-60BA-1706-00000000C501}4100C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079408Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-F093-60B9-0500-00000000C501}416432C:\Windows\system32\csrss.exe{3F3E08E7-3872-60BA-2F0D-00000000C501}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000079407Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.407{3F3E08E7-02DF-60BA-6306-00000000C501}41444808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F3E08E7-3872-60BA-2F0D-00000000C501}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000079406Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.408{3F3E08E7-38D2-60BA-410D-00000000C501}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F3E08E7-F094-60B9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000079405Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.110{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079404Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:38.110{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA39BE2AE4DE5348C0AEA0CD1C4B5C29,SHA256=E070907DE19C0378B0E7895A7D01AC018C38883BF8FED876F606A780F2D81F34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077455Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.303{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\TileDataLayer\Database\readme.txt2021-06-04 14:29:38.303 11241100x800000000000000077454Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.303{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Programs\Common\readme.txt2021-06-04 14:29:38.303 11241100x800000000000000077453Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.303{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\readme.txt2021-06-04 14:29:38.303 11241100x800000000000000077452Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.303{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\readme.txt2021-06-04 14:29:38.303 11241100x800000000000000077451Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.303{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\readme.txt2021-06-04 14:29:38.287 11241100x800000000000000077450Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\readme.txt2021-06-04 14:29:38.287 11241100x800000000000000077449Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\readme.txt2021-06-04 14:29:38.287 11241100x800000000000000077448Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:38.287{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Local\Packages\ActiveSync\readme.txt2021-06-04 14:29:38.287 23542300x800000000000000077473Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.910{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3A883EEA194D7FA2C753D961276596,SHA256=E29F00E1084A9832714AFE7F6B7ACFCE33037CEB2D2D0356876F91290B1A67BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079418Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:39.141{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079417Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:39.141{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFB3CF3A686C3BF57C9EFB59847AAD4,SHA256=4844572AEAA132688E264246C9A59C6A4FFE5BAEDA0B18021CECAF8CA147C135,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077472Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:39.552{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Comms\UnistoreDB\readme.txt2021-06-04 14:29:39.552 11241100x800000000000000077471Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:39.552{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Comms\Unistore\readme.txt2021-06-04 14:29:39.552 11241100x800000000000000077470Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.552{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\readme.txt2021-06-04 14:29:39.552 11241100x800000000000000077469Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.334{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Notepad++\themes\readme.txt2021-06-04 14:29:39.334 11241100x800000000000000077468Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.334{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\readme.txt2021-06-04 14:29:39.334 11241100x800000000000000077467Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\Vault\readme.txt2021-06-04 14:29:39.318 11241100x800000000000000077466Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\readme.txt2021-06-04 14:29:39.318 11241100x800000000000000077465Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\Protect\readme.txt2021-06-04 14:29:39.318 11241100x800000000000000077464Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\readme.txt2021-06-04 14:29:39.318 11241100x800000000000000077463Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.318{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\InputMethod\readme.txt2021-06-04 14:29:39.318 11241100x800000000000000077462Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\readme.txt2021-06-04 14:29:39.302 11241100x800000000000000077461Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\readme.txt2021-06-04 14:29:39.302 11241100x800000000000000077460Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\Roaming\Adobe\Flash Player\readme.txt2021-06-04 14:29:39.302 11241100x800000000000000077459Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.302{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\readme.txt2021-06-04 14:29:39.302 23542300x800000000000000077458Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B6C2468B9F72314689342AD3E8DF8B9,SHA256=0B454DB2B3C0C253B360D0E7AD7A7556FC6106D41FC571BB56D8B623ECDB484E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077457Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:39.256{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C264F12EE73B017A1E8E91D6E1828C,SHA256=08C7D5CE0550C073152883DDBDD7F95F5722ACC377247FF8E38887725824EA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077491Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:40.926{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6E45BE8E74040DDD81BA985AA44177,SHA256=A7B3906DD8FA6DF1052C79046054ACCECEC147898CC15CCDB9658F962F9CA420,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079420Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:40.253{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079419Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:40.253{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF87A4AE6AEFB7D687DBF299A836FDC7,SHA256=33F389A6BC54B8166A1664877FE1E6960D9FAA6D4083D5538BDD32AD8C7BD066,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077490Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.817{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\TileDataLayer\Database\readme.txt2021-06-04 14:29:40.817 11241100x800000000000000077489Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\readme.txt2021-06-04 14:29:40.801 11241100x800000000000000077488Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\readme.txt2021-06-04 14:29:40.801 11241100x800000000000000077487Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\readme.txt2021-06-04 14:29:40.801 11241100x800000000000000077486Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\readme.txt2021-06-04 14:29:40.801 11241100x800000000000000077485Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.786{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\readme.txt2021-06-04 14:29:40.786 11241100x800000000000000077484Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.786{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Packages\ActiveSync\readme.txt2021-06-04 14:29:40.786 11241100x800000000000000077483Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.786{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Vault\readme.txt2021-06-04 14:29:40.786 11241100x800000000000000077482Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.786{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\PlayReady\readme.txt2021-06-04 14:29:40.786 11241100x800000000000000077481Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\PenWorkspace\readme.txt2021-06-04 14:29:40.770 11241100x800000000000000077480Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Media Player\readme.txt2021-06-04 14:29:40.770 11241100x800000000000000077479Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\readme.txt2021-06-04 14:29:40.723 11241100x800000000000000077478Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\InstallAgent\readme.txt2021-06-04 14:29:40.723 11241100x800000000000000077477Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Feeds Cache\readme.txt2021-06-04 14:29:40.723 11241100x800000000000000077476Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Feeds\readme.txt2021-06-04 14:29:40.707 11241100x800000000000000077475Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:40.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Local\Microsoft\Credentials\readme.txt2021-06-04 14:29:40.707 354300x800000000000000077474Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:37.383{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50711-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000077508Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.942{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84EA8202FD0BFD91E72CA7FB576B2B7,SHA256=6BF8CB4C615B0AC50A240D7191D5597E3DD7DF229A9959ECB17F3C63A9CE7560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079423Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:39.973{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079422Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:41.300{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079421Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:41.300{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4FF60442B79AB1266D9BD3F0B21BD8,SHA256=903B699874A6EECB3E577822133AEDC6D3BD9AD956B272EEEF17CE280C1FEC51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077507Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.848{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Africa\readme.txt2021-06-04 14:29:41.848 11241100x800000000000000077506Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.832{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\8.6\tdbc\readme.txt2021-06-04 14:29:41.832 11241100x800000000000000077505Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.832{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8\8.4\platform\readme.txt2021-06-04 14:29:41.832 11241100x800000000000000077504Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.832{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\etc\pki\ca-trust\extracted\readme.txt2021-06-04 14:29:41.832 11241100x800000000000000077503Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\ca-trust\extracted\pem\readme.txt2021-06-04 14:29:41.801 11241100x800000000000000077502Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.785{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\ca-trust\extracted\openssl\readme.txt2021-06-04 14:29:41.785 11241100x800000000000000077501Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:41.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\etc\pki\ca-trust\extracted\java\readme.txt2021-06-04 14:29:41.770 11241100x800000000000000077500Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\Vault\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077499Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077498Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\Protect\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077497Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077496Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\InputMethod\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077495Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\Crypto\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077494Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Microsoft\Credentials\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077493Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\Roaming\Adobe\Flash Player\readme.txt2021-06-04 14:29:41.754 11241100x800000000000000077492Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.localDefaultUserModified2021-06-04 14:29:41.739{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Users\Default\AppData\LocalLow\Microsoft\CryptnetUrlCache\readme.txt2021-06-04 14:29:41.739 11241100x800000000000000079425Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:42.332{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079424Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:42.332{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BDBBCE86E7F22614C7DCB43FEF2EF0,SHA256=8AF69E1C70FCB34308A0A067B27BD7E3C3BEF9091C7B11EB0E27A3540889458E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077510Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:42.926{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B6C2468B9F72314689342AD3E8DF8B9,SHA256=0B454DB2B3C0C253B360D0E7AD7A7556FC6106D41FC571BB56D8B623ECDB484E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077509Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:42.254{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\America\readme.txt2021-06-04 14:29:42.254 11241100x800000000000000079427Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:43.347{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079426Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:43.347{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AF0F82B6C9E8B5A3DAF94C354F8DD8,SHA256=090AC86A954A46974EBCD1B675F87B0B0284705EC4B276BEB47E18868F3CCB9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077514Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:43.395{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Asia\readme.txt2021-06-04 14:29:43.395 11241100x800000000000000077513Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:43.379{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Arctic\readme.txt2021-06-04 14:29:43.379 11241100x800000000000000077512Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:43.285{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Antarctica\readme.txt2021-06-04 14:29:43.285 23542300x800000000000000077511Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:43.005{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E1EF575E8648B7BB73031D2F7B4982,SHA256=7B2885EF46C2D6A262A7D77E8535EA7AA91136929AFE79ABD612ED059A3E2121,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077522Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Europe\readme.txt2021-06-04 14:29:44.707 11241100x800000000000000077521Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Etc\readme.txt2021-06-04 14:29:44.457 11241100x800000000000000077520Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.442{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Chile\readme.txt2021-06-04 14:29:44.442 11241100x800000000000000077519Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.379{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Canada\readme.txt2021-06-04 14:29:44.379 11241100x800000000000000077518Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.348{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Brazil\readme.txt2021-06-04 14:29:44.348 23542300x800000000000000077517Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.239{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3586CB5336891001C202F1D9539C95,SHA256=ABE4427F31C12779F7D2ADC2682AFE80BD4E5AA0E07F492A5C2BC1D1ABA3521A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079429Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:44.363{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079428Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:44.363{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83850C0A3F1A85AAAB7CE60E61569C8,SHA256=811EFCF558C659F5D84607E9A4DE8ABB01E7F02850F6BD0B69C031924FEDF39D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077516Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.176{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Australia\readme.txt2021-06-04 14:29:44.176 11241100x800000000000000077515Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:44.098{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Atlantic\readme.txt2021-06-04 14:29:44.098 11241100x800000000000000077531Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.910{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\git-doc\howto\readme.txt2021-06-04 14:29:45.910 11241100x800000000000000077530Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.817{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tk8.6\demos\images\readme.txt2021-06-04 14:29:45.817 11241100x800000000000000077529Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\US\readme.txt2021-06-04 14:29:45.723 11241100x800000000000000077528Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\SystemV\readme.txt2021-06-04 14:29:45.614 11241100x800000000000000077527Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.301{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Pacific\readme.txt2021-06-04 14:29:45.301 23542300x800000000000000077526Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.301{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B7347418A05F7513E585533D946C8D,SHA256=CFB7574E772DEED061B08FF9C4780F24D308E080A801D5C5283D5487BE510E70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079431Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:45.394{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079430Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:45.394{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720E52AFABCF8B3A530C97B58BA7FB2E,SHA256=D2F5E365C036ADF49F7E12C7E0331E71371E0B7936A8AAF2AB809550098E43FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077525Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.270{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Mexico\readme.txt2021-06-04 14:29:45.270 11241100x800000000000000077524Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:45.207{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Indian\readme.txt2021-06-04 14:29:45.192 354300x800000000000000077523Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:42.413{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079433Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:46.519{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079432Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:46.519{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84D2810C045A72AAD319161423A572F,SHA256=597B2D9206E5B6FD66972CD33C7ACFBB9C2CF863EED9D829403EF341E6DBA343,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077572Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.942{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\SVN\readme.txt2021-06-04 14:29:46.942 11241100x800000000000000077571Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.926{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\Net\readme.txt2021-06-04 14:29:46.926 11241100x800000000000000077570Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.864{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\HTML\readme.txt2021-06-04 14:29:46.864 11241100x800000000000000077569Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.864{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\auto\readme.txt2021-06-04 14:29:46.864 11241100x800000000000000077568Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.848{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Win32API\readme.txt2021-06-04 14:29:46.848 11241100x800000000000000077567Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.832{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Unicode\readme.txt2021-06-04 14:29:46.832 11241100x800000000000000077566Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.817{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Time\readme.txt2021-06-04 14:29:46.817 11241100x800000000000000077565Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\threads\readme.txt2021-06-04 14:29:46.801 11241100x800000000000000077564Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.785{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Sys\readme.txt2021-06-04 14:29:46.785 11241100x800000000000000077563Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Sub\readme.txt2021-06-04 14:29:46.770 11241100x800000000000000077562Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Scalar\readme.txt2021-06-04 14:29:46.770 11241100x800000000000000077561Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.739{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\PerlIO\readme.txt2021-06-04 14:29:46.739 11241100x800000000000000077560Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\MIME\readme.txt2021-06-04 14:29:46.723 11241100x800000000000000077559Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Math\readme.txt2021-06-04 14:29:46.723 11241100x800000000000000077558Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\List\readme.txt2021-06-04 14:29:46.707 11241100x800000000000000077557Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.676{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\IPC\readme.txt2021-06-04 14:29:46.676 11241100x800000000000000077556Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\IO\readme.txt2021-06-04 14:29:46.614 11241100x800000000000000077555Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\I18N\readme.txt2021-06-04 14:29:46.614 11241100x800000000000000077554Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.598{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Hash\readme.txt2021-06-04 14:29:46.598 11241100x800000000000000077553Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.598{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Filter\readme.txt2021-06-04 14:29:46.598 11241100x800000000000000077552Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.582{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\File\readme.txt2021-06-04 14:29:46.582 11241100x800000000000000077551Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.473{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Encode\readme.txt2021-06-04 14:29:46.473 11241100x800000000000000077550Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Digest\readme.txt2021-06-04 14:29:46.457 11241100x800000000000000077549Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.442{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Devel\readme.txt2021-06-04 14:29:46.442 11241100x800000000000000077548Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.426{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Data\readme.txt2021-06-04 14:29:46.426 11241100x800000000000000077547Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.426{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\CORE\readme.txt2021-06-04 14:29:46.426 11241100x800000000000000077546Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.426{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\Compress\readme.txt2021-06-04 14:29:46.426 11241100x800000000000000077545Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.395{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\B\readme.txt2021-06-04 14:29:46.395 11241100x800000000000000077544Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.395{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\core_perl\auto\readme.txt2021-06-04 14:29:46.395 11241100x800000000000000077543Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.332{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\Git\SVN\readme.txt2021-06-04 14:29:46.332 23542300x800000000000000077542Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.317{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23715FBD2BB0DA943D7E53A2431DC95,SHA256=80DEA0BC0B490148B8A98CDAD1BDFC1772E3BE9C0B7EDC05DB9E385C83F55368,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077541Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.317{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\Git\LoadCPAN\readme.txt2021-06-04 14:29:46.317 11241100x800000000000000077540Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.301{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\perl5\FromCPAN\Mail\readme.txt2021-06-04 14:29:46.301 11241100x800000000000000077539Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.301{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libwinpthread\mingw-w64-libraries\readme.txt2021-06-04 14:29:46.301 11241100x800000000000000077538Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.301{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\libiconv\libcharset\readme.txt2021-06-04 14:29:46.301 11241100x800000000000000077537Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.285{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\gettext\gnulib-local\readme.txt2021-06-04 14:29:46.285 11241100x800000000000000077536Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.285{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\gettext\gettext-tools\readme.txt2021-06-04 14:29:46.285 11241100x800000000000000077535Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.270{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\licenses\gettext\gettext-runtime\readme.txt2021-06-04 14:29:46.270 11241100x800000000000000077534Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\xz\examples\readme.txt2021-06-04 14:29:46.256 11241100x800000000000000077533Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.256{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\mpfr\examples\readme.txt2021-06-04 14:29:46.256 11241100x800000000000000077532Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:46.035{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\mingw64\share\doc\git-doc\technical\readme.txt2021-06-04 14:29:46.035 11241100x800000000000000079435Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:47.660{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079434Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:47.660{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B799893B66E7336F38CCEFD0BCD6E0,SHA256=0BF730F1FF7168FB56BD05C03FBA3CC07C48468F452C290129272150B3EC53C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077608Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.989{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Net\readme.txt2021-06-04 14:29:47.989 11241100x800000000000000077607Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.942{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Module\readme.txt2021-06-04 14:29:47.942 11241100x800000000000000077606Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.879{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Memoize\readme.txt2021-06-04 14:29:47.879 11241100x800000000000000077605Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.832{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Math\readme.txt2021-06-04 14:29:47.832 11241100x800000000000000077604Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.817{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\JSON\readme.txt2021-06-04 14:29:47.817 11241100x800000000000000077603Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.770{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\IPC\readme.txt2021-06-04 14:29:47.770 11241100x800000000000000077602Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.754{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\IO\readme.txt2021-06-04 14:29:47.754 11241100x800000000000000077601Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.739{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\I18N\readme.txt2021-06-04 14:29:47.739 11241100x800000000000000077600Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.723{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\HTTP\readme.txt2021-06-04 14:29:47.723 11241100x800000000000000077599Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Getopt\readme.txt2021-06-04 14:29:47.707 11241100x800000000000000077598Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.692{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Filter\readme.txt2021-06-04 14:29:47.692 11241100x800000000000000077597Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.629{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\File\readme.txt2021-06-04 14:29:47.629 11241100x800000000000000077596Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Exporter\readme.txt2021-06-04 14:29:47.614 11241100x800000000000000077595Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\encoding\readme.txt2021-06-04 14:29:47.614 11241100x800000000000000077594Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.567{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Encode\readme.txt2021-06-04 14:29:47.567 11241100x800000000000000077593Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.553{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Digest\readme.txt2021-06-04 14:29:47.553 11241100x800000000000000077592Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.535{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Devel\readme.txt2021-06-04 14:29:47.535 11241100x800000000000000077591Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.489{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\DBM_Filter\readme.txt2021-06-04 14:29:47.489 11241100x800000000000000077590Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.489{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Config\readme.txt2021-06-04 14:29:47.489 11241100x800000000000000077589Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.473{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Compress\readme.txt2021-06-04 14:29:47.473 11241100x800000000000000077588Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Class\readme.txt2021-06-04 14:29:47.457 11241100x800000000000000077587Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Carp\readme.txt2021-06-04 14:29:47.457 11241100x800000000000000077586Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.426{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\B\readme.txt2021-06-04 14:29:47.426 11241100x800000000000000077585Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.379{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\autodie\readme.txt2021-06-04 14:29:47.379 11241100x800000000000000077584Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.379{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Attribute\readme.txt2021-06-04 14:29:47.379 11241100x800000000000000077583Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.364{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Archive\readme.txt2021-06-04 14:29:47.364 11241100x800000000000000077582Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.348{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\App\readme.txt2021-06-04 14:29:47.348 11241100x800000000000000077581Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.333{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\locolor\32x32\readme.txt2021-06-04 14:29:47.333 11241100x800000000000000077580Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.333{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\locolor\16x16\readme.txt2021-06-04 14:29:47.333 23542300x800000000000000077579Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.333{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680814658729B7A9C29D2E73CA76E769,SHA256=2A4C54B5565DD7C9EE19A7A9C0233D69F46375E1C92A0CAAB31430DB84585F8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077578Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.333{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\icons\hicolor\48x48\readme.txt2021-06-04 14:29:47.333 11241100x800000000000000077577Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.051{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gtk-doc\html\p11-kit\readme.txt2021-06-04 14:29:47.051 11241100x800000000000000077576Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.051{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\gdb\auto-load\usr\readme.txt2021-06-04 14:29:47.051 11241100x800000000000000077575Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.020{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\8.6\tdbc\readme.txt2021-06-04 14:29:47.020 11241100x800000000000000077574Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.020{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\tcl8\8.4\platform\readme.txt2021-06-04 14:29:47.020 11241100x800000000000000077573Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:47.004{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\lib\perl5\vendor_perl\Term\readme.txt2021-06-04 14:29:47.004 11241100x800000000000000079445Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.847{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079444Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.847{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66041F5B58E14E811A78509C9CB8559E,SHA256=4CF766D60D737A6A94901E66D3EC0605B70015994F6F9A67C569DA2E416F04E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077639Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.973{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Mail\readme.txt2021-06-04 14:29:48.973 11241100x800000000000000077638Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.895{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\LWP\readme.txt2021-06-04 14:29:48.895 11241100x800000000000000077637Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.879{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\JSON\readme.txt2021-06-04 14:29:48.879 11241100x800000000000000077636Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\IO\readme.txt2021-06-04 14:29:48.801 11241100x800000000000000077635Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\HTTP\readme.txt2021-06-04 14:29:48.707 11241100x800000000000000077634Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\HTML\readme.txt2021-06-04 14:29:48.707 11241100x800000000000000077633Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.692{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\File\readme.txt2021-06-04 14:29:48.692 11241100x800000000000000077632Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.676{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Error\readme.txt2021-06-04 14:29:48.676 11241100x800000000000000077631Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.676{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Encode\readme.txt2021-06-04 14:29:48.676 11241100x800000000000000077630Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.645{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Date\readme.txt2021-06-04 14:29:48.645 11241100x800000000000000077629Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.629{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Convert\readme.txt2021-06-04 14:29:48.629 11241100x800000000000000077628Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Authen\readme.txt2021-06-04 14:29:48.614 11241100x800000000000000077627Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.614{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Win32API\readme.txt2021-06-04 14:29:48.614 11241100x800000000000000077626Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.598{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\warnings\readme.txt2021-06-04 14:29:48.598 11241100x800000000000000077625Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.598{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\version\readme.txt2021-06-04 14:29:48.598 11241100x800000000000000077624Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.582{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\User\readme.txt2021-06-04 14:29:48.582 23542300x800000000000000077623Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.553{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621E060D366DD6910936C051E3BC0A19,SHA256=F38A0B229C764991EB9E2A96CE489F38CE129B48B7FE494CE832CD31DAC77B72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077622Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\unicore\readme.txt2021-06-04 14:29:48.457 11241100x800000000000000077621Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.426{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Time\readme.txt2021-06-04 14:29:48.426 11241100x800000000000000077620Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.364{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Tie\readme.txt2021-06-04 14:29:48.364 11241100x800000000000000077619Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.332{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Thread\readme.txt2021-06-04 14:29:48.332 10341000x800000000000000079443Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524468C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079442Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524468C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079441Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524468C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6C07-00000000C501}5044C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079440Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079439Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079438Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079437Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:48.457{3F3E08E7-FC3E-60B9-3405-00000000C501}9524132C:\Windows\Explorer.EXE{3F3E08E7-07A4-60BA-6D07-00000000C501}2552C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000079436Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:45.786{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000077618Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.301{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Text\readme.txt2021-06-04 14:29:48.301 11241100x800000000000000077617Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.239{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Test2\readme.txt2021-06-04 14:29:48.239 11241100x800000000000000077616Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.192{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Test\readme.txt2021-06-04 14:29:48.192 11241100x800000000000000077615Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.160{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Term\readme.txt2021-06-04 14:29:48.160 11241100x800000000000000077614Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.145{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Search\readme.txt2021-06-04 14:29:48.145 11241100x800000000000000077613Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.145{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\PerlIO\readme.txt2021-06-04 14:29:48.145 11241100x800000000000000077612Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.133{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Perl\readme.txt2021-06-04 14:29:48.133 11241100x800000000000000077611Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.133{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Parse\readme.txt2021-06-04 14:29:48.133 11241100x800000000000000077610Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.133{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\Params\readme.txt2021-06-04 14:29:48.133 11241100x800000000000000077609Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.098{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\core_perl\overload\readme.txt2021-06-04 14:29:48.098 11241100x800000000000000077652Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.926{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\compiler\readme.txt2021-06-04 09:05:06.173 23542300x800000000000000077651Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.926{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\compiler\README.txtMD5=961F189A6FB803EA0E47A29FD908961C,SHA256=51D5980784304E5C547CBDE207A26AE31DDE955B99A78558FAAEA25C3D957B8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077650Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.801{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\colors\readme.txt2021-06-04 09:05:06.126 23542300x800000000000000077649Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.801{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\colors\README.txtMD5=F1A23F3A6F809D18D3A17300319C5E47,SHA256=78F550034C6ECFD15F603014C0450D9E029ABF0C276BCFBF0102929D51AE4991,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077648Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.504{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\autoload\readme.txt2021-06-04 09:05:06.079 23542300x800000000000000077647Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.504{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\autoload\README.txtMD5=2D99F4EF102E29E6CD36A19975D4968E,SHA256=37AB54C6C5C4C530A855647CF2AC05C3B4C03BF16B21EEC913B5EA1B95CE59F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077646Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.489{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\WWW\readme.txt2021-06-04 14:29:49.489 23542300x800000000000000077645Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.348{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA482DB1525CA793CB142A8BB8582ABA,SHA256=8AC31DE73AECD689EA2DC36B7839D990DB065FDE5D83B24AA17AD6CE03AFD701,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077644Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.161{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\URI\readme.txt2021-06-04 14:29:49.161 11241100x800000000000000077643Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.145{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Try\readme.txt2021-06-04 14:29:49.145 11241100x800000000000000077642Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.129{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Time\readme.txt2021-06-04 14:29:49.129 11241100x800000000000000077641Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.114{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\Net\readme.txt2021-06-04 14:29:49.114 11241100x800000000000000077640Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:49.051{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\perl5\vendor_perl\MIME\readme.txt2021-06-04 14:29:49.051 11241100x800000000000000077655Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:50.629{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\doc\readme.txt2021-06-04 14:29:50.629 354300x800000000000000077654Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:48.225{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50713-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000077653Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:50.364{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BDA7D305F84E44D5977BC4D05B3AF5,SHA256=D14D40B9FC68D261FCC4DDCCA842B54F86EA450D457C47BE2516788D02EF52A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079449Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.503{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-06-04 09:23:23.209 23542300x800000000000000079448Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.503{3F3E08E7-02DF-60BA-6306-00000000C501}4144NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E787AE74F389A1BD79FA5CAE42113AF9,SHA256=75A92A74657C280F5B2D1AEF350C3E4430D673CECFA873EAFEE8F06028F98FC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079447Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.050{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079446Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.050{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3318FFC6E69821CB7D56897D9B8FA27,SHA256=9B342C383D071571000C3C757FE9A545EF76BE70556A7B5363A8AF4BE3329AB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077658Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:51.989{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\ftplugin\readme.txt2021-06-04 09:05:06.657 23542300x800000000000000077657Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:51.989{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\ftplugin\README.txtMD5=6FC526040D33514956850E8F314427D1,SHA256=DC6C6B8A23BCA4E6F3A7A33A919314FCC4CDB207753DC1E844CE4C42F29A6785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077656Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:51.380{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C70AAB9D6BFBCEC8527E1D9C7E287D,SHA256=9479E86BBA056B5926941AB73F475C53A30764795138D1F2CDA0EB7D73FC9313,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079451Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:51.082{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079450Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:51.082{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1CEF7D004E84DE8CE55E8E2980E895,SHA256=D184545CF7A91B5D4061B56C0CC230951C52595D720BB2F6B4C08E712C094BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077659Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:52.395{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E686BAC0B39E117383BBEB0E8385D983,SHA256=F44DEBCE974681B0338BBBD99C11C3A6DA4B7B5E805F27EDAC5B0C4E3E34455D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079454Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:52.222{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079453Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:52.222{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C6C7CCE127B07D3D6CB2CBFEC99D68,SHA256=29BA5CB624C72FC220EF81898E840BC404937A1B5C3F7B0169175A319FAF79E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079452Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.223{3F3E08E7-02DF-60BA-6306-00000000C501}4144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x800000000000000077662Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:53.692{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\indent\readme.txt2021-06-04 09:05:06.798 23542300x800000000000000077661Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:53.692{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\indent\README.txtMD5=6A8930BFA89E8C41391982BF4A1F9A87,SHA256=FB3B78C1681836B3923C3F7D62BCFB2F7B070ADBAF6211C2291CA6FAC5E191EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077660Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:53.411{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E612B4F70189A4C6EC47DF1FD86CAF41,SHA256=5A9AB985DC2A014FDCF514D8086FB2D95FF3B3DBD40108005D19A5B9A37D2E71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079457Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:53.285{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079456Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:53.285{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9EA177894EA8A7D28A6B0266A7BC94,SHA256=5E2630B268D3AE8021D3828A0E33B98FA6D2CE07E0B191EF384BF10F65330C7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079455Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:50.848{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079459Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:54.316{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079458Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:54.316{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A4BA612FF922A845F09CF48DEA93F4,SHA256=C2FDDE82A4015E0CC677E45F8FFE453AFAA4FD5F7C46535F7F4D25589FD57211,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077666Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:54.598{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\keymap\readme.txt2021-06-04 09:05:06.891 23542300x800000000000000077665Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:54.598{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\keymap\README.txtMD5=DF5BCAE444E527EACE9EEB308EF83DE1,SHA256=28D65D84E9679EB4808FBEE00840110232AC6FE36496A6B74D928EB04F3AD4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077664Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:54.426{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ADF0AD0DF495D5DB46CF64D0137307,SHA256=B79200FA477365A5F3ED4FFE989BAED864ED03CC8A2BE7315934B6A796A28483,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077663Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:54.145{89999F75-EECF-60B9-0D00-00000000C401}9004988C:\Windows\system32\svchost.exe{89999F75-EED0-60B9-1600-00000000C401}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000077671Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:53.225{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50714-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000077670Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:55.535{89999F75-EED0-60B9-1100-00000000C401}376NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FFCD718B9E7B7C3AC295F8DC76317A57,SHA256=2C87FB8F77F2AE48691209306FA1CFD55A985D43D555E04E81F69DC28B18CB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077669Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:55.442{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9941DC84DF077C58A55C84F7AE0CE,SHA256=5866DE3DDFE610CDFBAFA0CBF23DD08214B93BE09E0F198B7914B35F3FF285DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079461Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:55.332{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079460Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:55.332{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382CD4A70658F76070053FBA15AF01C3,SHA256=62F3393808432471F22E776A7D29742D4A58D1AA4E317CE985BF972EA4E5FD45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077668Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:55.160{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\lang\readme.txt2021-06-04 09:05:07.204 23542300x800000000000000077667Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:55.160{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\lang\README.txtMD5=A0536B6A4F9D6F5B2BAFBB21A3ED2A41,SHA256=A7B619DC51C40852EF2F7310FD3CF0FBC7B88E2E6EEAA632770092B0C8BB1D43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077681Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.895{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\syntax\readme.txt2021-06-04 09:05:07.970 23542300x800000000000000077680Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.895{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\syntax\README.txtMD5=4299D25A1F615CA9F3F269916DD0E911,SHA256=6F8C47BA946FEBEF82D95D1132E31A7F4F8921986B7A26D51B7DBB877A6B08D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077679Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.707{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\spell\readme.txt2021-06-04 14:29:56.707 11241100x800000000000000077678Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.457{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\print\readme.txt2021-06-04 14:29:56.457 23542300x800000000000000077677Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.457{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F741BB4CD3286FB35676E4D577C90C4B,SHA256=E70EA12906A97756B868BFA3C6EF83DD1B5132369AE34E882964DEBBEBA8C8CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079463Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:56.347{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079462Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:56.347{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E43AA1C810974F70281DAC8B845400,SHA256=EC56646B0DD3ACE49281E14354B9A70C1D8F9A92F6EF49F1962DCAEE2050E709,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077676Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.379{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\plugin\readme.txt2021-06-04 09:05:07.376 23542300x800000000000000077675Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.379{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\plugin\README.txtMD5=BE4A589DDFF2D23614980E4767254E4C,SHA256=AD37E84B4AE98F276FCC1D1993F630138BBA16F2411D576E0CB1E4B4F7C128A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077674Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.364{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\pack\readme.txt2021-06-04 14:29:56.364 11241100x800000000000000077673Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.317{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\macros\readme.txt2021-06-04 09:05:07.329 23542300x800000000000000077672Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:56.317{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\macros\README.txtMD5=965970302223A8A10830DFB4B0C84685,SHA256=67F5185C8A319314D1CFBB768B778BE0A91A188AC0B85FF78779ACE8279941E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077682Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:57.473{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61D21C7C0AB60670BC5E60A3604F3E8,SHA256=785C0ED348E3BC1EE62E7FD5BEF10253561646BE397C69E37B1E5CCFB98D648F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079465Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:57.363{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079464Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:57.363{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3602AEFBDBEC703D7C2D552323C80D4D,SHA256=BC44E0DF6DCFD84FDFEAD7978CEF66A14C911AA8D412DAD6AB7D729FC54E243B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079468Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:58.378{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079467Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:58.378{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3880EDCCBC3E3B55F41FD4A3C63D5B9,SHA256=FEF32BC601A54A24BB0F78E39F36C20374602C1DAE958095214E61987F878AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077683Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:58.489{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7E4EA16A3AD43457C46F109EF7EE68,SHA256=20BEBBAF9D2E856672BC01A4A67556A7BE0FF33B9537D3DF9B4C4B85424EC24E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079466Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:55.880{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000077684Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:59.504{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C76D89D9F11AE6572ADB00AB9D3E90B,SHA256=EA00B0992ED6F92EFBF694DB3699F7C051BAA2A8D555D53C4B77A05A0C7C4F89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079471Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:59.394{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079470Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:59.394{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3D0E0C984424FA40EA777F7B6BBC8F,SHA256=89B70352884825F5EF55CBE3FFDF692220AC5F6721D736F28FC2FE21806651E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079469Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:29:59.050{3F3E08E7-F094-60B9-0D00-00000000C501}7762372C:\Windows\system32\svchost.exe{3F3E08E7-F094-60B9-1400-00000000C501}884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000077685Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:00.516{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED0C9F9D26F0D5D6C1CA50DD4EA80E,SHA256=94182EFF825DA368F7429E14845CEB79DC61B9EF899CC138A977EF4B4255023C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079473Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:00.406{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079472Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:00.406{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37DB3E6CC88BEAC8BD2ECFBF01F8EA0,SHA256=CF56B144C0AA2C4FEC47A8AFDBE10C964095C3522C711BF550039F1D1128B822,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077691Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:01.891{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\tutor\readme.txt2021-06-04 09:05:08.204 23542300x800000000000000077690Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:01.891{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\tutor\README.txtMD5=D5E83460FDD94DF73ED76A92D196EEEE,SHA256=780B1C3CEA8273FC422347A35808B09D9E4D3D75984D572D34835C5744D6E0C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077689Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:01.737{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\Git\usr\share\vim\vim82\tools\readme.txt2021-06-04 09:05:08.204 23542300x800000000000000077688Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:01.737{89999F75-EECB-60B9-0100-00000000C401}4NT AUTHORITY\SYSTEMSystemC:\Program Files\Git\usr\share\vim\vim82\tools\README.txtMD5=C357BFE88EE44C193591AC8ABC5D88E2,SHA256=9E6448D04D119D45D17A374CAAD9E18A661E1D85BDAE0D5EEF4B979B71239869,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077687Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:29:59.253{89999F75-EEEB-60B9-6C00-00000000C401}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-392.attackrange.local50715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000077686Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:01.532{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ADD0BE2FC296CCDF49C83C56210B5B,SHA256=3FA80386A2109E3BF642E1AC0DD825607BC1E50FC3EB2EA4E27F660B350F6CED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079476Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:01.406{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079475Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:01.406{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3755B06EFD6DCBFE1F11917B0C0FA3,SHA256=F2EB9D9785D1FCE0A7611D4F59F0E144214E07B256A648A5991000E1D128B3B8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000079474Microsoft-Windows-Sysmon/Operationalwin-host-243-SetValue2021-06-04 14:30:01.344{3F3E08E7-F094-60B9-1500-00000000C501}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7594e-0x1a4004f7) 11241100x800000000000000077695Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:02.595{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\darwin_x86_64\bin\readme.txt2021-06-04 14:30:02.595 11241100x800000000000000077694Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:02.579{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\configs\itsi\readme.txt2021-06-04 14:30:02.579 11241100x800000000000000077693Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:02.579{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\configs\es\readme.txt2021-06-04 14:30:02.579 23542300x800000000000000077692Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:02.548{89999F75-EEF2-60B9-7500-00000000C401}3476NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F27D5AFB4A52F560C7D41539F5664C7,SHA256=E2C2ED787B6D05385F54EEA57AE4882B89D2537E63A8C3F549180CDEC684E6C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079479Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:00.892{3F3E08E7-02E6-60BA-9106-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-243.eu-central-1.compute.internal53879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000079478Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:02.422{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-06-04 09:21:55.073 23542300x800000000000000079477Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:02.422{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6675BCB1DFB4209A3C3B9C7419B1C4B5,SHA256=2D5383A4D8203852E6F8AFD47A42F16E3CBE81631ED9C651B310D026E3E06730,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000077696Microsoft-Windows-Sysmon/Operationalwin-dc-392.attackrange.local-2021-06-04 14:30:03.485{89999F75-EECB-60B9-0100-00000000C401}4SystemC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\default\vocabularies\readme.txt2021-06-04 14:30:03.485 11241100x800000000000000079483Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:03.203{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000079482Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:03.203{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=53482DDE077347E241B014527380D4DC,SHA256=0D976ED56CBAB37B270653083F01D57AA76BD11707C62D87AC0CACB4B3D296BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000079481Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:03.203{3F3E08E7-02EC-60BA-9B06-00000000C501}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-06-04 09:20:37.385 23542300x800000000000000079480Microsoft-Windows-Sysmon/Operationalwin-host-243-2021-06-04 14:30:03.203{3F3E08E7-02EC-60BA-9B06-00000000C501}4412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEE5B3A6AFEDC11D99449CC1B8601739,SHA256=0233169A10ED6369B971544B1BFA14106BF91C0B3CBC807E431DE3052DDA82DE,IMPHASH=00000000000000000000000000000000falsetrue